SSO with Microsoft Entra ID (Azure AD)
CloudZero supports single-sign on (SSO) for Microsoft Entra ID (formerly Azure Active Directory). This enables Entra ID users to seamlessly log in to CloudZero without needing to enter a CloudZero username and password.
To set up a new SSO integration for CloudZero using Microsoft Entra ID, complete the following steps:
- Retrieve your Entra ID primary domain from Azure.
- Create a new app registration in Azure.
- Create a client secret for the application.
- Assign API permissions to the application.
- Configure the Entra ID SSO Integration in CloudZero.
As part of these steps, you will gather the following information from Azure:
- Primary domain
- Application (client) ID
- Secret value
- Secret expiration date
Step 1: Retrieve your Entra ID primary domain from Azure
-
Log in to the Azure Portal and navigate to Entra ID.
-
Copy the Primary domain from your Entra ID overview for use in configuring the SSO integration in CloudZero.
Step 2: Create a new app registration in Azure
-
In the Azure Portal, navigate to App Registrations.
-
Select New registration.
-
Enter a name in the Name field, such as
CloudZero
. -
In the Supported account types section, select Accounts in this organizational directory only (Single tenant).
-
In the Redirect URI section, select Web from the drop-down menu and enter the following URI:
https://auth.cloudzero.com/login/callback
-
Select Register. Azure creates the app registration.
-
On the Overview page for the app you created, copy the Application (client) ID for use in configuring the SSO integration in CloudZero.
Step 3: Create a client secret for the application
-
In the Azure Portal, on the Overview page for the app registration you created, select Manage > Certificates & secrets.
-
Select New client secret.
-
Enter a description for the client secret.
-
Select an expiration date.
-
Select Add.
-
Copy the secret's Value (not the secret's ID). Note that the value cannot be displayed again after you leave the page. You will need this value for configuring the SSO integration in CloudZero.
-
Note the secret's expiration date for use in configuring the SSO integration in CloudZero.
Step 4: Assign API permissions to the application
-
In the Azure Portal, on the Overview page for the app registration, select Manage > API permissions.
-
Select Add a permission.
-
Select Microsoft Graph.
-
Select Delegated permissions.
-
In the Select permissions search field, search for and select the following permissions:
Directory.Read.All
User.Read
-
Select Add permissions.
Step 5: Configure the Entra ID SSO Integration in CloudZero
-
Log in to CloudZero and navigate to Settings > SSO Integrations.
-
Click the Create New Integration button:
-
On the Select Your Identity Provider page, select Azure Active Directory:
-
When the Connect Azure Active Directory to CloudZero form opens, complete the fields according to the steps that follow the image:
-
The IdP Callback URL field displays the callback URL. Because you entered this URL into your Microsoft Entra ID application's Redirect URI field in a previous step, you can proceed to the next field.
-
Enter the Email Domain. Users with an email address from this domain will be forwarded to your Microsoft Entra ID integration to log in to CloudZero.
-
Paste the primary domain you copied in Step 1: Retrieve your Entra ID primary domain from Azure into the Tenant URL field. Note that this is the domain name only (such as
example.com
). Do not addhttps://www.
to it. -
Paste the application (client) ID you copied in Step 2: Create a new app registration in Azure into the Client ID field.
-
Paste the secret value you copied in Step 3: Create a client secret for the application into the Client Secret field.
-
Enter the expiration date for the secret from Step 3: Create a client secret for the application into the Secret Expiration Date field, using the format
YYYY-mm-dd
. -
Select Create Integration. CloudZero creates the SSO integration and reloads the page to display the integration details.
-
Click the Open Test Window button to open a new browser tab to test the integration by logging in to your IdP:
-
In the new tab, authorize CloudZero's request to connect to your account.
-
When the test is successful, the tab closes, and the integration details page in CloudZero displays a modal with the message Connection test successful! Select Close to close the modal.
-
In the SSO Connection Status and Controls section, check the Enable log-ins with my SSO box.
-
Optionally, check the Enable SSO for Groups box to allow your IdP to manage your groups. See Manage Groups with SSO for more information.
-
Select Enable.
Selecting Enable will immediately activate the SSO integration. If you need to disable this integration, email the team at [email protected].
-
Scroll back up to the General Configuration section and copy the Bookmark URL. It will follow this format:
https://app.cloudzero.com?connection=<your-connection-name>
-
Manually create a bookmark in your browser of choice using the Bookmark URL you copied. When you select the bookmark in your browser, you will seamlessly log in to CloudZero.
-
Share the Bookmark URL with other users in your CloudZero organization so they can create their own browser bookmarks to log in to CloudZero.
Updated about 4 hours ago