Alert EnterpriseWiki

Microsoft Entra ID SSO

Microsoft·AE_MicrosoftEntraID_SSO_ConfigurationGuide

IAMactiveMicrosoft Entra ID (cloud — versionless SaaS, formerly Azure AD)
Transports
rest
Direction
inbound
Authentication
SAML 2.0 (AE as SP, Entra ID as IdP)
Last updated
2025-08-22
Compare with another connector →Open in composer →

Overview

The Microsoft Entra ID SSO connector configures AlertEnterprise Guardian to federate authentication to Microsoft Entra ID (formerly Azure AD) via SAML 2.0. AE Guardian acts as the SAML Service Provider; Entra ID acts as the Identity Provider with its own identity store (users + groups created in Entra or synced from on-prem AD via Entra Connect).

This is the renamed successor to azure-sso — Microsoft rebranded "Azure Active Directory" to "Microsoft Entra ID" in mid-2023, so the SSO connector reflects the new product naming. Functionally identical to azure-sso. For identity data sync (not just SSO), pair with the microsoft-entra-id connector which uses Microsoft Graph API.

Setup pattern: AE Guardian is registered as a non-gallery Enterprise Application in the customer's Entra tenant, configured for SAML SSO, with users and/or groups assigned to it.

Architecture

Composed from this connector's actors + edges. Trust zones are color-coded; trust crossings render as thicker lines.

Composing diagram — running ELK layout4 actors · 3 edges

Authentication

1 method supported

SAML 2.0 (AE as SP, Entra ID as IdP)
saml

AE Guardian acts as the SAML Service Provider; Entra ID acts as the Identity Provider. The Entra admin creates a non-gallery Enterprise Application in Entra → Enterprise Applications → New application → Create your own application, configures SAML 2.0 SSO with AE-provided metadata, and assigns users/groups.

Prerequisites

Everything that must be in place for this connector to work, with the owner who's responsible.

Entra ID tenant with non-gallery Enterprise Application for AE

customer

The Entra admin must create a non-gallery Enterprise Application for AE Guardian, configure SAML 2.0 SSO with AE metadata, and assign users/groups.

User records pre-synced into AE Guardian database

ae

Same constraint as other SSO connectors — users authenticated by Entra ID must already exist in AE Guardian's database. Typically achieved by running the microsoft-entra-id connector first.

Known limitations

Documented constraints to set customer expectations before deployment.

Authentication only — no provisioning or reconciliation

informational

For Entra-side identity data sync, use the microsoft-entra-id connector.

IAM specifics

Protocol support
OIDC
yes
SAML
yes
SCIM
yes
JIT provisioning
configurable
Group sync mode
not-supported
Source of record
No
MFA model

MFA enforced by Entra ID Conditional Access policies. AE Guardian inherits MFA enforcement — no AE-side configuration required.

Default attribute mapping

Email-formatted Name ID + optional claims. Extensible via Entra application attribute mapping.

Source materials
  • src/connectors/microsoft-entra-id-sso/source.pdf Full configuration guide — 20 pages, updated 2025-08-22
Verifying access
Desktop only

The AE Mobile Wiki needs a bigger screen.

The diagrams, comparisons, and animated flows aren't built for phones. Open this link on your laptop or desktop browser and you'll see the full reference.

wiki.alertenterprise.app

Same Google sign-in as the AE App Hub — you'll be in once you open it on a larger screen.