How to Connect Microsoft Entra ID (Azure AD)
How to Connect Microsoft Entra ID (Azure AD) with CloudZero
CloudZero supports single-sign on (SSO) for Microsoft Entra ID (formerly Azure Active Directory). This enables Entra ID users to seamlessly log in to CloudZero without needing to enter a CloudZero username and password.
Set Up a New SSO Integration with Entra ID
To set up a new SSO integration for CloudZero using Microsoft Entra ID, complete the following steps:
- Retrieve your Entra ID primary domain from Azure.
- Create a new app registration in Azure.
- Create a client secret for the application.
- Assign API permissions to the application.
- Configure the SSO integration in CloudZero.
As part of these steps, you will gather the following information from Azure:
- Primary domain
- Application (client) ID
- Secret value
- Secret expiration date
Step 1: Retrieve Primary Domain From Azure
-
Log in to the Azure Portal and navigate to Entra ID.
-
Copy the Primary domain from your Entra ID overview for use in a later step.
Step 2: Create Azure App Registration
-
In the Azure Portal, navigate to App Registrations.
-
Select New registration.
-
Enter a name in the Name field, such as
CloudZero
. -
In the Supported account types section, select Accounts in this organizational directory only (Single tenant).
-
In the Redirect URI section, select Web from the drop-down menu and enter the following URI:
https://auth.cloudzero.com/login/callback
-
Select Register. Azure creates the app registration.
- On the Overview page for the app you created, copy the Application (client) ID for use in a later step.
Step 3: Create Client Secret
-
In the Azure Portal, on the Overview page for the app registration you created, select Manage > Certificates & secrets.
-
Select New client secret.
-
Enter a description for the client secret.
-
Select an expiration date.
-
Select Add.
-
Copy the secret's Value (not the secret's ID). Note that the value cannot be displayed again after you leave the page. You will need this value for a later step.
- Note the secret's expiration date for use in a later step.
Step 4: Assign App Permissions
-
In the Azure Portal, on the Overview page for the app registration, select Manage > API permissions.
-
Select Add a permission.
-
Select Microsoft Graph.
-
Select Delegated permissions.
-
In the Select permissions search field, search for and select the following permissions:
Directory.Read.All
User.Read
-
Select Add permissions.
Step 5: Configure the Entra ID SSO Integration in CloudZero
-
Log in to CloudZero and navigate to Settings > SSO Integration.
-
In the Select Your Identity Provider section, select Azure Active Directory from the Identity Provider Type drop-down menu.
-
In the Enter your Azure information section, enter the Email Domain. Users with an email address from this domain will be forwarded to your Microsoft Entra ID integration to log in to CloudZero.
-
Paste the primary domain you copied in Step 1 into the Tenant URL field. Note that this is the domain name only (such as
example.com
). Do not addhttps://www.
to it. -
Paste the application (client) ID you copied in Step 2 into the Client ID field.
-
Paste the secret value you copied in Step 3 into the Client Secret field.
-
Enter the expiration date for the secret from Step 3 into the Secret Expiration Date field, using the format
YYYY-mm-dd
. -
Select Save.
-
Select the Open SSO Test Window button to open a new browser tab to log into your IdP and confirm a successful round trip with CloudZero. A successful round trip will redirect you to https://jwt.io/ with a valid token. After you see a decoded token, you can close this browser tab.
-
When the test is successful, CloudZero's SSO Integration page automatically displays the message Testing Complete. If this does not happen within one minute, refresh the page.
-
Check the Enable log-ins with my SSO box.
This will immediately switch over the specified email domain to use the configured SSO.
If you need to roll back this configuration, contact your CloudZero support representative.
- Copy the Bookmark URL at the bottom of the page.
-
Manually create a bookmark in your browser of choice using the Bookmark URL. When you select the bookmark in your browser, you will seamlessly log in to CloudZero.
-
Share the Bookmark URL with other users in your CloudZero organization so they can create their own browser bookmarks to log in to CloudZero.
Updated 4 months ago