> ## Documentation Index
> Fetch the complete documentation index at: https://www.truefoundry.com/llms.txt
> Use this file to discover all available pages before exploring further.

# OIDC with Microsoft Entra ID

> Configure OpenID Connect single sign-on between TrueFoundry and Microsoft Entra ID (formerly Azure AD).

This guide walks you through setting up OpenID Connect (OIDC) single sign-on between TrueFoundry and Microsoft Entra ID (formerly Azure Active Directory). Once finished, members of your Entra tenant can sign in to TrueFoundry through a **Login with Entra ID** button.

For SAML 2.0 instead of OIDC, see [SAML with Microsoft Entra ID](/docs/platform/sso/entra/saml).

## Prerequisites

* A TrueFoundry tenant with **Admin** access to **Settings → Security & Access → SSO**.
* A Microsoft Entra tenant with permission to create **App registrations**.

## Step 1 — Register an application in Entra

<Steps>
  <Step title="Open App registrations">
    Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com/) as an administrator.

    In the left navigation, expand **Identity → Applications**, select **App registrations**, then click **New registration**.

    <Frame caption="App registrations page in the Microsoft Entra admin center">
      <img src="https://mintcdn.com/truefoundry/OlEFjoHwZJ0edSjd/images/sso/entra/oidc-step-1-a.png?fit=max&auto=format&n=OlEFjoHwZJ0edSjd&q=85&s=0a3d0567e1464b5116c7950a1b6afbf9" alt="Microsoft Entra admin center App registrations page with the New registration button highlighted" width="1500" height="938" data-path="images/sso/entra/oidc-step-1-a.png" />
    </Frame>
  </Step>

  <Step title="Configure the registration">
    Fill in:

    * **Name** — a lowercase alphanumeric label, for example `truefoundry-oidc`.
    * **Supported account types** — choose **Single tenant only**.
    * **Redirect URI** — set the platform to **Web** and the URL to:

      ```
      https://login.truefoundry.com/oauth2/callback
      ```

    Click **Register**.

    <Frame caption="Register an application — Single tenant only and Web redirect URI">
      <img src="https://mintcdn.com/truefoundry/OlEFjoHwZJ0edSjd/images/sso/entra/oidc-register-app.png?fit=max&auto=format&n=OlEFjoHwZJ0edSjd&q=85&s=cf407ce829f4bff211d3ebcd7e0a255e" alt="Entra Register an application form with Single tenant only selected and the TrueFoundry OAuth callback redirect URI configured" width="992" height="577" data-path="images/sso/entra/oidc-register-app.png" />
    </Frame>
  </Step>

  <Step title="Note the Client ID and Tenant ID">
    On the application **Overview** page, copy the **Application (client) ID** and the **Directory (tenant) ID**. You'll use them in TrueFoundry.

    <Frame caption="App registration Overview page showing the Application (client) ID and Directory (tenant) ID">
      <img src="https://mintcdn.com/truefoundry/OlEFjoHwZJ0edSjd/images/sso/entra/oidc-step-2-a.png?fit=max&auto=format&n=OlEFjoHwZJ0edSjd&q=85&s=4623ac57c32ae266c1ac54e766086093" alt="Entra app registration Overview page with the Application (client) ID highlighted" width="1500" height="938" data-path="images/sso/entra/oidc-step-2-a.png" />
    </Frame>
  </Step>
</Steps>

## Step 2 — Create a client secret

<Steps>
  <Step title="Open Certificates & secrets">
    From your app registration, click **Certificates & secrets** in the left sidebar, then click **New client secret** under **Client secrets**.

    <Frame caption="Certificates & secrets page in the Entra app registration">
      <img src="https://mintcdn.com/truefoundry/OlEFjoHwZJ0edSjd/images/sso/entra/oidc-step-3-a.png?fit=max&auto=format&n=OlEFjoHwZJ0edSjd&q=85&s=37bf46b94519a9ac88f94c3291a4bbb9" alt="Entra Certificates and secrets page with the New client secret button highlighted under Client secrets" width="1500" height="938" data-path="images/sso/entra/oidc-step-3-a.png" />
    </Frame>
  </Step>

  <Step title="Generate the secret">
    Add a description (for example `TrueFoundry SSO`), choose an expiry that matches your security policy, and click **Add**.

    <Frame caption="Add a client secret side panel — description and expiry, then Add">
      <img src="https://mintcdn.com/truefoundry/OlEFjoHwZJ0edSjd/images/sso/entra/oidc-step-3-b.png?fit=max&auto=format&n=OlEFjoHwZJ0edSjd&q=85&s=3b6ef0dd6bb6c8d16d562c97d001f909" alt="Entra Add a client secret panel with Description and Expires fields and the Add button highlighted" width="1500" height="938" data-path="images/sso/entra/oidc-step-3-b.png" />
    </Frame>
  </Step>

  <Step title="Copy the secret value">
    Copy the secret's **Value** field — not the **Secret ID**. The value is only visible immediately after creation.

    <Frame caption="Newly created client secret — copy the Value column, not the Secret ID">
      <img src="https://mintcdn.com/truefoundry/OlEFjoHwZJ0edSjd/images/sso/entra/oidc-step-3-c.png?fit=max&auto=format&n=OlEFjoHwZJ0edSjd&q=85&s=8f22a76ada39e90075ef4bb9d09553e6" alt="Entra Certificates and secrets page showing a newly created client secret with the Value column highlighted" width="1500" height="938" data-path="images/sso/entra/oidc-step-3-c.png" />
    </Frame>

    <Warning>
      Once you leave this page, the secret value can never be displayed again. If you lose it you must create a new client secret.
    </Warning>
  </Step>
</Steps>

## Step 3 — Configure token claims (recommended)

By default, Entra issues an ID token that doesn't include the user's email address. Adding the `email` claim lets TrueFoundry match the user to a TrueFoundry account.

<Steps>
  <Step title="Open Token configuration">
    From your app registration, click **Token configuration** in the left sidebar, then click **Add optional claim**.

    <Frame caption="Token configuration page — click Add optional claim">
      <img src="https://mintcdn.com/truefoundry/OlEFjoHwZJ0edSjd/images/sso/entra/oidc-step-5-a.png?fit=max&auto=format&n=OlEFjoHwZJ0edSjd&q=85&s=35a0d82e51644240e602912f7ebc5341" alt="Entra Token configuration page with the Add optional claim button highlighted" width="1500" height="938" data-path="images/sso/entra/oidc-step-5-a.png" />
    </Frame>
  </Step>

  <Step title="Add ID token claims">
    Choose **ID** as the token type and select the following claims:

    * `email`
    * `family_name`
    * `given_name`

    Click **Add**. When prompted, enable **Turn on the Microsoft Graph email, profile permission** so the requested scopes have permission to return these claims.

    <Frame caption="Add optional claim panel — select ID token type and the email, family_name, given_name claims">
      <img src="https://mintcdn.com/truefoundry/OlEFjoHwZJ0edSjd/images/sso/entra/oidc-step-5-b.png?fit=max&auto=format&n=OlEFjoHwZJ0edSjd&q=85&s=47dc4f643c880385c35f18fcf574f157" alt="Entra Add optional claim panel with ID selected and email, family_name and given_name claims ticked" width="1500" height="938" data-path="images/sso/entra/oidc-step-5-b.png" />
    </Frame>

    <Frame caption="Confirmation prompt — enable the Microsoft Graph email, profile permission">
      <img src="https://mintcdn.com/truefoundry/OlEFjoHwZJ0edSjd/images/sso/entra/oidc-step-5-c.png?fit=max&auto=format&n=OlEFjoHwZJ0edSjd&q=85&s=0b10e6595c29e5ca060430c7565b0c4d" alt="Entra prompt asking to turn on the Microsoft Graph email, profile permission for the selected claims" width="1500" height="938" data-path="images/sso/entra/oidc-step-5-c.png" />
    </Frame>
  </Step>
</Steps>

## Step 4 — Add the redirect URI again on the Authentication page (if needed)

If you skipped setting **Redirect URI** during registration:

<Steps>
  <Step title="Open Authentication">
    From the app registration, click **Authentication** in the left sidebar, then **Add a platform → Web**.
  </Step>

  <Step title="Add the callback URL">
    Set **Redirect URIs** to:

    ```
    https://login.truefoundry.com/oauth2/callback
    ```

    Click **Configure**.
  </Step>
</Steps>

<Tip>
  To enable the **Device Code** sign-in flow (used by some CLIs that don't have access to a browser), expand **Advanced settings** on the **Authentication** page and toggle **Allow public client flows** on.
</Tip>

## Step 5 — Configure TrueFoundry

<Steps>
  <Step title="Open SSO settings">
    In TrueFoundry, go to **Settings → Security & Access → SSO**.

    Click the **+** icon labeled **Add New SSO Config**.

    <Frame caption="SSO page in TrueFoundry — click the + icon to add a new SSO configuration">
      <img src="https://mintcdn.com/truefoundry/OlEFjoHwZJ0edSjd/images/sso/entra/saml-truefoundry-add-sso-config.png?fit=max&auto=format&n=OlEFjoHwZJ0edSjd&q=85&s=f768205b84d9f33ce04a8b8576ab0070" alt="TrueFoundry SSO settings page with the Add New SSO Config plus button highlighted" width="1024" height="263" data-path="images/sso/entra/saml-truefoundry-add-sso-config.png" />
    </Frame>
  </Step>

  <Step title="Fill in the SSO form">
    * **Enabled**: turn this on.

    * **Name**: a lowercase alphanumeric label — for example, `entraoidc`.

    * **SSO Provider**: select **Azure AD**.

    * **Authentication Configuration**: choose **OIDC**.

    * **Client ID**: the **Application (client) ID** from Entra.

    * **Client Secret**: the client secret **Value** from Entra.

    * **Discover endpoints**: leave enabled.

    * **Issuer URL**:

      ```
      https://login.microsoftonline.com/<tenant-id>/v2.0
      ```

      Replace `<tenant-id>` with the **Directory (tenant) ID** you copied in Step 1.

    * **Scopes** *(optional)*: leave blank to use the default `openid email`. Add `profile` if you want first and last name in the token.
  </Step>

  <Step title="Save">
    Click **Save**. TrueFoundry validates the issuer URL and stores the credentials.
  </Step>
</Steps>

## Step 6 — Assign users in Entra

For single-tenant configurations with **Assignment required** enabled, Entra only allows assigned users to sign in.

<Steps>
  <Step title="Open the enterprise application">
    Back in the Entra admin center, navigate to **Enterprise applications** and select the app registration you created.

    <Frame caption="Find your application in Enterprise applications">
      <img src="https://mintcdn.com/truefoundry/OlEFjoHwZJ0edSjd/images/sso/entra/oidc-step-6-a.png?fit=max&auto=format&n=OlEFjoHwZJ0edSjd&q=85&s=e40df3da351813ce445dc83ec3b1d545" alt="Entra Enterprise applications page with the search filter applied to locate the registered application" width="1500" height="938" data-path="images/sso/entra/oidc-step-6-a.png" />
    </Frame>

    <Frame caption="Users and groups tab inside the enterprise application">
      <img src="https://mintcdn.com/truefoundry/OlEFjoHwZJ0edSjd/images/sso/entra/oidc-step-6-b.png?fit=max&auto=format&n=OlEFjoHwZJ0edSjd&q=85&s=7462f21b7a37aa17001efe10330af8ed" alt="Entra enterprise application Users and groups page with the Add user/group button highlighted" width="1500" height="938" data-path="images/sso/entra/oidc-step-6-b.png" />
    </Frame>
  </Step>

  <Step title="Add users and groups">
    Click **Users and groups** → **Add user/group**, pick the users or security groups that should be able to sign in to TrueFoundry, and click **Assign**.

    <Frame caption="Add Assignment — click Users to open the picker">
      <img src="https://mintcdn.com/truefoundry/OlEFjoHwZJ0edSjd/images/sso/entra/oidc-step-6-c.png?fit=max&auto=format&n=OlEFjoHwZJ0edSjd&q=85&s=4345cfa313e671a8e48331e206088655" alt="Entra Add Assignment page with the Users selector showing None Selected" width="1500" height="938" data-path="images/sso/entra/oidc-step-6-c.png" />
    </Frame>

    <Frame caption="With users selected, click Assign to grant access">
      <img src="https://mintcdn.com/truefoundry/OlEFjoHwZJ0edSjd/images/sso/entra/oidc-step-6-d.png?fit=max&auto=format&n=OlEFjoHwZJ0edSjd&q=85&s=2d263d6c92e926df7db03fe901e69bdb" alt="Entra Add Assignment page with 1 user selected and the Assign button highlighted" width="1500" height="938" data-path="images/sso/entra/oidc-step-6-d.png" />
    </Frame>
  </Step>
</Steps>

## Step 7 — Test single sign-on

1. Open a private/incognito window and visit your TrueFoundry login page.
2. Click **Login with Entra ID**.
3. Authenticate with an assigned user.

You should land in the TrueFoundry dashboard. New users are created automatically if [JIT provisioning](/docs/platform/user-management#user-provisioning) is enabled.

## Optional next steps

* **Sync users and groups automatically** — see [SCIM with Microsoft Entra ID](/docs/platform/sso/entra/scim).
* **Use SAML instead** — see [SAML with Microsoft Entra ID](/docs/platform/sso/entra/saml).

## Troubleshooting

<AccordionGroup>
  <Accordion title="'AADSTS700016: Application with identifier was not found in the directory'">
    The **Issuer URL** in TrueFoundry points to the wrong tenant. Double-check the **Directory (tenant) ID** and re-construct the issuer as `https://login.microsoftonline.com/<tenant-id>/v2.0`.
  </Accordion>

  <Accordion title="'AADSTS7000215: Invalid client secret provided'">
    Either the secret expired or only the **Secret ID** was copied. Generate a new client secret in **Certificates & secrets**, copy the **Value** field immediately, and update TrueFoundry.
  </Accordion>

  <Accordion title="Sign-in works but the user's email is empty">
    Make sure you added the `email` optional claim in **Token configuration** *and* enabled the **email, profile** Microsoft Graph permission when prompted. Then add `profile email` to **Scopes** on the TrueFoundry SSO form.
  </Accordion>

  <Accordion title="'AADSTS50105: The signed in user is not assigned to a role for the application'">
    Either disable **Assignment required** on the Enterprise application's **Properties** page, or assign the user/group under **Users and groups**.
  </Accordion>
</AccordionGroup>
