GuidesAPI ReferenceAcademy
Guides
What's New

SSO with Microsoft Entra ID (Azure AD)

Suggest Edits

How to Set Up SSO with Microsoft Entra ID (Azure AD)

CloudZero supports single-sign on (SSO) for Microsoft Entra ID (formerly Azure Active Directory). This enables Entra ID users to seamlessly log in to CloudZero without needing to enter a CloudZero username and password.

To set up a new SSO integration for CloudZero using Microsoft Entra ID, complete the following steps:

  1. Retrieve your Entra ID primary domain from Azure.
  2. Create a new app registration in Azure.
  3. Create a client secret for the application.
  4. Assign API permissions to the application.
  5. Configure the SSO integration in CloudZero.

As part of these steps, you will gather the following information from Azure:

  • Primary domain
  • Application (client) ID
  • Secret value
  • Secret expiration date

Step 1: Retrieve Primary Domain From Azure

  1. Log in to the Azure Portal and navigate to Entra ID.

  2. Copy the Primary domain from your Entra ID overview for use in a later step.

    Copy your tenant's Primary Domain from Entra ID

Step 2: Create Azure App Registration

  1. In the Azure Portal, navigate to App Registrations.

  2. Select New registration.

  3. Enter a name in the Name field, such as CloudZero.

  4. In the Supported account types section, select Accounts in this organizational directory only (Single tenant).

  5. In the Redirect URI section, select Web from the drop-down menu and enter the following URI: https://auth.cloudzero.com/login/callback

  6. Select Register. Azure creates the app registration.

    Create the app registration in Azure

  7. On the Overview page for the app you created, copy the Application (client) ID for use in a later step.

    Copy the application (client) ID in Azure

Step 3: Create Client Secret

  1. In the Azure Portal, on the Overview page for the app registration you created, select Manage > Certificates & secrets.

  2. Select New client secret.

  3. Enter a description for the client secret.

  4. Select an expiration date.

  5. Select Add.

  6. Copy the secret's Value (not the secret's ID). Note that the value cannot be displayed again after you leave the page. You will need this value for a later step.

    Copy the secret value in Azure

  7. Note the secret's expiration date for use in a later step.

Step 4: Assign App Permissions

  1. In the Azure Portal, on the Overview page for the app registration, select Manage > API permissions.

  2. Select Add a permission.

  3. Select Microsoft Graph.

  4. Select Delegated permissions.

  5. In the Select permissions search field, search for and select the following permissions:

    • Directory.Read.All
    • User.Read

  6. Select Add permissions.

    Add Directory.Read.All and User.Read permissions to the application

Step 5: Configure the Entra ID SSO Integration in CloudZero

  1. Log in to CloudZero and navigate to Settings > SSO Integrations.

  2. Select the Create New Integration button:

    Select the Create New Integration button from the SSO Integrations page

  3. On the Select Your Identity Provider page, select Azure Active Directory:

    Select Azure Active Directory to set up an SSO integration in CloudZero

  4. CloudZero displays the Connect Azure Active Directory to CloudZero form:

    The Connect Azure Active Directory to CloudZero form

  5. The IdP Callback URL field displays the callback URL. Because you entered this URL into your Microsoft Entra ID application's Redirect URI field in a previous step, you can proceed to the next field.

  6. Enter the Email Domain. Users with an email address from this domain will be forwarded to your Microsoft Entra ID integration to log in to CloudZero.

  7. Paste the primary domain you copied in Step 1 into the Tenant URL field. Note that this is the domain name only (such as example.com). Do not add https://www. to it.

  8. Paste the application (client) ID you copied in Step 2 into the Client ID field.

  9. Paste the secret value you copied in Step 3 into the Client Secret field.

  10. Enter the expiration date for the secret from Step 3 into the Secret Expiration Date field, using the format YYYY-mm-dd.

  11. Select Create Integration. CloudZero creates the SSO integration and reloads the page to display the integration details.

    Your new Entra ID integration's details page

  12. Select the Open Test Window button to open a new browser tab to test the integration by logging into your IdP:

    Select the Open Test Window button to test your SSO integration

  13. In the new tab, authorize CloudZero's request to connect to your account.

  14. When the test is successful, the tab closes, and the integration details page in CloudZero displays a modal with the message Connection test successful! Select Close to close the modal.

  15. In the SSO Connection Status and Controls section, check the Enable log-ins with my SSO box.

  16. Optionally, check the Enable SSO for Groups box to allow your IdP to manage your groups. See Manage Groups with SSO for more information.

    Check the necessary boxes before activating your SSO integration

  17. Select Enable.

    ⚠️

    WARNING

    Selecting Enable will immediately activate the SSO integration. If you need to disable this integration, contact your CloudZero support representative.

  18. Scroll back up to the General Configuration section and copy the Bookmark URL. It will follow this format: https://app.cloudzero.com?connection=<your-connection-name>

    Copy the Bookmark URL from the CloudZero UI

  19. Manually create a bookmark in your browser of choice using the Bookmark URL you copied. When you select the bookmark in your browser, you will seamlessly log in to CloudZero.

  20. Share the Bookmark URL with other users in your CloudZero organization so they can create their own browser bookmarks to log in to CloudZero.

Updated 6 months ago