Single Sign On with Microsoft Entra (formerly Azure Active Directory)

In this tutorial, you'll learn how to integrate Simple In/Out with Azure Entra (formerly Azure Active Directory). When you integrate Simple In/Out with Azure Entra, you can:

  • Control in Azure Entra who has access to Simple In/Out.
  • Create users in Simple In/Out automatically from Azure Entra.
  • Remove users in Simple In/Out when they do not require access anymore.
  • Keep user attributes synchronized between Azure Entra and Simple In/Out.
  • Provision groups and group memberships in Simple In/Out.
  • Enable your users to be automatically signed-in to Simple In/Out with their Azure Entra accounts using Single Sign On.

For important details on what this service does, how it works, and frequently asked questions, see Automate user provisioning and deprovisioning to SaaS applications with Azure Active Directory.

Prerequisites

To get started, you need the following items:

  • Azure Entra subscription. If you don't have a subscription, you can get a free account.
  • Simple In/Out Enterprise level subscription.
  • You may not be using Simple In/Out Linked Companies.

Configure and test Azure Entra Single Sign On for Simple In/Out

For SSO to work, you need to establish a link relationship between Azure Entra users and users in Simple In/Out. To configure Azure Entra SSO with Simple In/Out, complete the following building blocks:

  1. Plan your provisioning deployment
  2. Configure Simple In/Out SSO - to configure the SSO settings on application side.
  3. Set your default Simple In/Out role
  4. Add Simple In/Out from the gallery
  5. Define who will be in scope for provisioning
  6. Configure automatic user provisioning to Simple In/Out
  7. Monitor your deployment
  8. Test Logging into Simple In/Out
  9. Known issues for provisioning in Microsoft Entra

Step 1. Plan your provisioning deployment

  1. Learn about how the provisioning service works.
  2. Determine who will be in scope for provisioning.
  3. Determine what data to map between Azure Entra and Simple In/Out.
  4. Configure your default Simple In/Out role which will govern permissions for any new users.

Step 2. Configure Simple In/Out SSO

  1. In a web browser, head to simpleinout.com and sign in with a Simple In/Out administrator's credentials.
  2. Click Settings in the upper-right.
  3. Click Single Sign On under the ENTERPRISE menu on the left.
  4. If you are not yet on an Enterprise level plan, this settings page will alert you that you need to upgrade your plan in order to use Single Sign On. Follow the link to upgrade your plan if necessary and return to this page.
  5. Be sure your provider is set to Microsoft and click the Connect Single Sign On button.
  6. You will be asked to confirm that you wish to enable Single Sign On. Click OK to confirm.
  7. Click Reveal on your Recovery Key and store this entire key in a safe place. IMPORTANT! If you are ever locked out of your Microsoft accounts and need to disconnect SSO without access, you'll be required to relay the Recovery Key to Simple In/Out technical support.
  8. Click Reveal on your Bearer Token and make note of it. You'll need this for Step 6.5.
  9. Make note of the URL. You'll need this for Step 6.5.

Step 3. Set your default Simple In/Out role

When a new user is provisioned from Azure Entra to Simple In/Out, Simple In/Out will set that user's role to the default role for your organization. This role will govern the user's permissions inside Simple In/Out. For existing users that may be converted to SSO, Simple In/Out will maintain their existing role.

After users are provisioned to Simple In/Out, any administrator-level user can edit a user's role. This is done by clicking on a user on the Simple In/Out board, then clicking the Edit User button that appears in the user's profile dialog.

You can change the default role in Simple In/Out as well as tailor the permissions in the role on Simple In/Out's website.

  1. Within Simple In/Out's website, click Settings in the upper-right
  2. Click Roles under the USERS menu on the left.
  3. Click the Edit button associated with your default role as designated by the green checkmark.
  4. Any settings can be changed from here and will immediately take effect.
To configure the integration of Simple In/Out into Azure Entra, you need to add Simple In/Out from the gallery to your list of managed SaaS apps.

Important! Before following the below steps, you'll need to log out of simpleinout.com in your web browser of choice by clicking Log Out in the upper-right. This is because the steps require you walk through the Sign in with Microsoft workflow to be asked the proper consent question from Microsoft and the login flow cannot be used if you're already signed in with your non-SSO Simple In/Out account. See more about Microsoft's workflow here.

  1. Sign in to the Azure Entra portal using either a work or school account, or a personal Microsoft account.
  2. Depending on your left navigation page from Microsoft, select either the Identity or Azure Active Directory service.
  3. Navigate to either Applications -> Enterprise Applications or Enterprise Applications -> All Applications.
  4. To add new application, select New application.
  5. In the Add from the gallery section, type Simple In/Out in the search box.
  6. Select Simple In/Out from results panel and then click the Sign up for Simple In/Out button.
  7. Now, you'll be redirected back to the Simple In/Out website login screen. If you do, proceed to the next step. If you see anything other than a sign in screen for Simple In/Out, STOP. You were not signed out as indicated in the Important note above. Sign out of Simple In/Out and start over.
  8. Click the Sign in with Microsoft button and use your Microsoft credentials. This will prompt you to consent on behalf of your organization to use Simple In/Out. Once you consent, you'll be sent back to Simple In/Out with an error because we haven't yet provisioned any users. But your consent will add the Simple In/Out application to your Microsoft tenant.
Alternatively, you can also use the  Enterprise App Configuration Wizard. In this wizard, you can add an application to your tenant, add users/groups to the app, assign roles, as well as walk through the SSO configuration as well.  Learn more about Microsoft 365 wizards.

Step 5. Define who will be in scope for provisioning

The Azure Entra provisioning service allows you to scope who will be provisioned to the application. You can choose to sync all users and groups or you can choose to sync only assigned users and groups . If you choose to scope who will be provisioned based solely on attributes of the user or group, you can use a scoping filter as described here.

  • Start small. Test with a small set of users and groups before rolling out to everyone. When scope for provisioning is set to assigned users and groups, you can control this by assigning one or two users or groups to the app. When scope is set to all users and groups, you can specify an attribute based scoping filter.
  • Depending on your Microsoft Entra plan, you may have to approach this differently. In our experience, users on the free Entra plans do not have the ability to assign groups to Simple In/Out directly (the Sync Assigned Users and Groups option does not work). Instead, these free plan administrators will need to Sync All Users and Groups and then utilize the scoping filters mentioned above to limit which come to Simple In/Out.

Step 6. Configure automatic user provisioning to Simple In/Out

  1. Sign in to the Azure portal. Select Enterprise Applications, then select All applications.
  2. In the applications list, select Simple In/Out.
  3. Select the Provisioning tab.
  4. Set the Provisioning Mode to Automatic.
  5. Under the Admin Credentials section, input your Simple In/Out Tenant URL and Secret Token. The Tenant URL will be copied from Simple In/Out's SSO administrator screen and including any characters after the "?". The Secret Token is your Bearer Token you noted on Step 2.8. Click Test Connection to ensure Azure Entra can connect to Simple In/Out. If the connection fails, ensure you have copy/pasted the values from Simple In/Out correctly and try again.
  6. In the Notification Email field, enter the email address of a person or group who should receive the provisioning error notifications and select the Send an email notification when a failure occurs check box.
  7. Select Save.
  8. Under the Mappings section, select Provision Azure Active Directory Users.
  9. Review the user attributes that are synchronized from Azure Entra to Simple In/Out in the Attribute-Mapping section. The attributes selected as Matching properties are used to match the user accounts in Simple In/Out for update operations. If you choose to change the matching target attribute, you'll need to ensure that the Simple In/Out API supports filtering users based on that attribute. Select the Save button to commit any changes.

When customizing attribute mappings for user provisioning, you might find the attribute you want to map doesn't appear in the Source attribute list. This article shows you how to add the missing attribute.

Attribute Type Support for filtering Required by Simple In/Out
userName String
externalId String
displayName String
title String

active Boolean

phoneNumbers String

groups Reference

  1. Under the Mappings section, select Provision Azure Active Directory Groups.
  2. Review the group attributes that are synchronized from Azure Entra to Simple In/Out in the Attribute-Mapping section. The attributes selected as Matching properties are used to match the groups in Simple In/Out for update operations. Select the Save button to commit any changes.
Attribute Type Support for filtering Required by Simple In/Out
displayName String
members Reference

  1. To configure scoping filters, refer to the following instructions provided in the Scoping filter tutorial. Specifically examine the role within Microsoft Entra to make certain users are assigned the "User" role and not "Default Access".
  2. To enable the Azure Entra provisioning service for Simple In/Out, change the Provisioning Status to On in the Settings section.
  3. Define the users and/or groups that you would like to provision to Simple In/Out by choosing the desired values in Scope in the Settings section.
  4. When you're ready to provision, click Save.

This operation starts the initial synchronization cycle of all users and groups defined in Scope in the Settings section. The initial cycle takes longer to perform than subsequent cycles, which occur approximately every 40 minutes as long as the Azure Entra provisioning service is running.

Step 7. Monitor your deployment

Once you've configured provisioning, use the following resources to monitor your deployment:

  • See the Simple In/Out logs of calls within our Single Sign On settings described on Step 2.
  • Use the provisioning logs to determine which users have been provisioned successfully or unsuccessfully
  • Check the progress bar to see the status of the provisioning cycle and how close it's to completion
  • If the provisioning configuration seems to be in an unhealthy state, the application goes into quarantine. Learn more about quarantine states here.

Step 8. Test Logging into Simple In/Out

Once the initial time (up to 40 minutes according to Microsoft) elapses, you can attempt to sign in using your Microsoft credentials on Simple In/Out. To do so, follow these steps:

  1. Make sure you are in fact signed out of simpleinout.com. Alternatively, you can use a private/incognito window in your web browser.
  2. Head to simpleinout.com and click the Log In button in the upper-right.
  3. Click the Sign in with Microsoft button
  4. Enter your Microsoft Credentials and accept any permissions asked. Simple In/Out's SSO implementation requires openid, profile, and email permissions in order to authenticate your user account.
  5. If successful, you'll be taken back to Simple In/Out and see your Simple In/Out board. If unsuccessful, check your logs to see that Azure Entra has successfully made requests to Simple In/Out. Logs exist on both simpeinout.com and Azure Entra.

Step 9. Known issues for provisioning in Microsoft Entra

There are a number of known issues that Microsoft acknowledges with their user provisioning. Specifically, we will call out the fact that Microsoft does not remove data after it has been provisioned to Simple In/Out, even if you delete it. Microsoft states here that they do not send null/empty data. If you empty a user's field, or if you remove a field entirely from your mapping, Microsoft will not send Simple In/Out any requests and we'll have no indication to clear the data from our side.

Need Support?

If you need any support or see unexpected errors, never hesitate to reach out to us at help@simplymadeapps.com. We're here to help.