Microsoft Entra Single Sign On (formerly Azure)

Modified on Mon, Sep 23 at 9:30 AM

Important Note: Client IDs on the Azure side are set to a default expiration date of 6 Months. Please be aware or increase the default value to prevent your users from being locked out 6 Months after the Client ID is created.


Configure SchoolFi for Single-Sign-On with Microsoft Entra (formerly Azure)

  1. Before you begin, it is recommended you set up a notepad (or other text editor) document.  You will need to copy and paste several values from the Entra Admin center to then be used later in your SchoolFi configuration.

 

Configure the Entra App Registration

 

  1. Open the Microsoft Entry admin center and navigate to Applications à App registrations in the navigation bar.

    This link should take you directly to this page:
     https://entra.microsoft.com/#view/Microsoft_AAD_RegisteredApps/ApplicationsListBlade

 

  1. Click the New Registration button at the top.

 

  1. On the Register an application page, complete the following:

 

  1. Name (a friendly name for the application, e.g., “SchoolFi”)
  2. Select a supported account type (likely single-tenant for most configurations)

Then click the Register button at the bottom. 

A screenshot of a computer

Description automatically generated

  1. If the application was registered, you should see a confirmation message appear at the top right of the screen.  If it does not redirect you directly to the new app registration page, follow these steps to access your new registration.

 

  1. Next, find your application to continue configuring it. Navigate again to Applications à App registrations.

 

  1. Click All applications above the search box.

 

  1. Search for the name of your newly created application in the search box and press enter to locate it.

 

  1. Click on the App registration’s name in the search results to edit it.  Your app registration page should open. 

 

 

  1. A screenshot of a computer

Description automatically generatedThere are two important values you need to obtain from the main app registration (overview) page.  You will need to record (copy) the “Application (client) ID” and “Directory (tenant) ID” values from this screen. (highlighted in the screenshot below) These will be used later to configure the SchoolFi side of the authentication.

    Recommended: copy/paste into notepad or another text editor to avoid any weird characters from here.  These values are critical to the configuration.

 

  1. Configure Certificates & secrets
    1. In the left navigation of the app registration, choose Certificates & secrets.  Click the + New client secret button.

A screenshot of a computer screen

Description automatically generated

  1. Enter a description (e.g., “SchoolFi”)

A screenshot of a computer

Description automatically generated

  1. Choose an expiration date or use the recommended 180 days.
  2. Click the Add button.
  3. A screenshot of a computer

Description automatically generatedYou should now see your Client secret value and Secret ID on the “certificates and secrets page.”

 

  1. Copy the Value from this secret – this will be needed for the SchoolFi side of the configuration.

 

Configure the SSO Provider in SchoolFi

  1. Navigate to: System à Security à Single Sign-On/MFA

 

  1. Click Add Provider and enter:

 

  1. Code (e.g., “ENTRA”)
  2. Provider: “Microsoft Entra ID (Azure AD)”
  3. Description (e.g., “Microsoft Entra ID”)
  4. Client Id: [Copied from Step 6 above]
  5. Client Secret: [Copied from Step 7.f above]
  6. A screenshot of a computer

Description automatically generatedTenant Id: [Copied from Step 6 above]

 

  1. Now that your SSO provider is configured, on its Modify screen, click the “Lookup OAuth fields from Discovery Document” button and the bottom left.
  2. This will populate several values in the OIDC Single Sign On Vendor End Points table.
  3. On the right side of the modify screen, click the “Refresh Public Key” button.  This will populate several public keys in that table.
  4. On the left side of the modify page, copy the “Redirect URL for Employee Portal” and “Redirect URL for SchoolFi” values and paste to your notepad document.  These will be used shortly to complete the Entra configuration.
  5. Check either the “Enabled for” Employee Portal or SchoolFi checkboxes at the top (as appropriate) and then click Save.

 

Complete Entra ID Configuration

  1. Configure Authentication

 

  1. In the left navigation of the app registration, choose Authentication.

 

  1. On the Authentication page, click the + Add a Platform button.

 

 



A screenshot of a computer

Description automatically generated


 

  1. On the “Configure platforms” box that appears, choose “Web.”
    1. Add the Redirect URI.
      1. This is a value you copied from SchoolFi in Step 13.
      2. Paste this value into the Redirect URI in the app registration in Entra.
  2. A screenshot of a computer

Description automatically generatedThen click the Configure button.
  3. You should now see your Web Redirect URI in the platform configuration section of the Authentication tab.
  4. A screenshot of a computer

Description automatically generatedRepeat these steps to add BOTH redirect URLs from Step 13 (both for the Portal and for SchoolFi).

 

 

  1. Grant Admin Consent

 

  1. In the left navigation of the app registration, choose API Permissions.

 

  1. On the API permissions page, click the “Grant admin consent for [your organization]” button under Configured permissions.

 

  1. You will be asked to confirm.  Click Yes.

 

A screenshot of a computer

Description automatically generated

 

 

Was this article helpful?

That’s Great!

Thank you for your feedback

Sorry! We couldn't be helpful

Thank you for your feedback

Let us know how can we improve this article!

Select at least one of the reasons
CAPTCHA verification is required.

Feedback sent

We appreciate your effort and will try to fix the article