CloudZero supports single sign-on (SSO) with Microsoft Entra ID (formerly Azure Active Directory) as your identity provider (IdP). This enables Entra ID users to log in to CloudZero without needing to enter a CloudZero username and password.

What you need

• Administrator access to your Microsoft Entra ID tenant
• Permission to manage SSO integrations in CloudZero

Overview

To configure the SSO integration in CloudZero (Step 5), you need the following values from Azure:

• Your Entra ID primary domain
• An Application (client) ID from an app registration
• A client secret value and expiration date
• API permissions (Directory.Read.All and User.Read) assigned to the app registration

If you already have an Entra ID app registration configured for CloudZero with these values, skip to Step 5.

Otherwise, follow these steps to create one:

1. Retrieve your Entra ID primary domain from Azure
2. Create a new app registration in Azure
3. Create a client secret for the application
4. Assign API permissions to the application
5. Configure the Entra ID SSO integration in CloudZero

Step 1: Retrieve your Entra ID primary domain from Azure

1. Log in to the Azure Portal and navigate to Entra ID.

2. Copy the Primary domain from your Entra ID overview. You will use this in Step 5.

   

Step 2: Create a new app registration in Azure

Create an app registration for CloudZero in your Entra ID tenant. CloudZero uses this registration to authenticate your users. For general guidance, see Microsoft's app registration documentation.

1. In the Azure Portal, navigate to App Registrations.

2. Select New registration.

3. Enter a name in the Name field, such as CloudZero.

4. In the Supported account types section, select Accounts in this organizational directory only (Single tenant). CloudZero requires a single-tenant app registration.

5. In the Redirect URI section, select Web and enter: https://auth.cloudzero.com/login/callback

6. Select Register. Azure creates the app registration.

   

7. On the Overview page for the app you created, copy the Application (client) ID. You will use this in Step 5.

   

Step 3: Create a client secret for the application

CloudZero uses a client secret to authenticate with your Entra ID tenant. For details, see Microsoft's app registration documentation.

1. In the Azure Portal, on the Overview page for the app registration you created, select Manage > Certificates & secrets.

2. Select New client secret.

3. Enter a description for the client secret.

4. Select an expiration date.

5. Select Add.

6. Copy the secret's Value (not the secret's ID). The value cannot be displayed again after you leave the page.

   

7. Record the secret's expiration date.

Step 4: Assign API permissions to the application

Grant the application permission to read user and directory information from your tenant. CloudZero needs these permissions to authenticate users and look up their profiles. For details, see Microsoft's API permissions documentation.

1. In the Azure Portal, on the Overview page for the app registration, select Manage > API permissions.

2. Select Add a permission.

3. Select Microsoft Graph.

4. Select Delegated permissions.

5. In the Select permissions search field, search for and select the following permissions:

   • Directory.Read.All
   • User.Read

6. Select Add permissions.

   

Step 5: Configure the Entra ID SSO integration in CloudZero

1. Log in to CloudZero and navigate to Settings > SSO Integrations.

2. Select Create New Integration.

   

3. On the Select Your Identity Provider page, select Azure Active Directory. CloudZero displays the Connect Azure Active Directory to CloudZero form:

   

4. Enter the Email Domain. Users with an email address from this domain will be forwarded to your Microsoft Entra ID integration to log in to CloudZero.

5. Complete the remaining fields using the values you gathered from Azure:

   Value you collected	CloudZero field	Notes
   Primary domain (Step 1)	Tenant URL	Domain name only (such as example.com). Do not add https://www.
   Application (client) ID (Step 2)	Client ID
   Secret value (Step 3)	Client Secret
   Secret expiration date (Step 3)	Secret Expiration Date	Format: YYYY-mm-dd

6. Select Create Integration. CloudZero creates the integration and shows its details.

   

7. Select the Open Test Window button to open a new browser tab to test the integration by logging in to your IdP:

   

8. In the new tab, authorize CloudZero's request to connect to your account.

9. When the test is successful, the tab closes and CloudZero shows a Connection test successful! message. Select Close. If the test fails, verify the values you entered in the previous steps and try again.

10. In the SSO Connection Status and Controls section, check the Enable log-ins with my SSO box.

11. Optionally, check the Enable SSO for Groups box to allow your IdP to manage your Roles. See Manage Roles with SSO for more information.

    

12. Select Enable.

    ⚠️

    Selecting Enable immediately activates the SSO integration. If you need to disable this integration, contact your account manager or email [email protected].

13. Scroll back up to the General Configuration section and copy the Bookmark URL. This is the URL your users will use to access CloudZero. It follows this format: https://app.cloudzero.com/?connection=<your-connection-name>

    

14. Create a bookmark in your browser using the Bookmark URL you copied. When you select the bookmark, you log in to CloudZero directly.

15. Share the Bookmark URL with other users in your CloudZero organization so they can create their own browser bookmarks.

What to expect

Users can now log in to CloudZero using their browser bookmark or by navigating to app.cloudzero.com and entering their email. CloudZero uses Just-in-Time provisioning, so any user granted access in Entra ID receives a CloudZero account automatically on first login.