--- title: 'Azure AD (Entra)' description: 'Learn how to configure Azure AD as an identity provider for NocoDB.' tags: ['SSO', 'Azure AD', 'OIDC'] keywords: ['SSO', 'Azure AD', 'OIDC', 'Authentication', 'Identity Provider'] --- :::warning SSO is available under private beta for self hosted enterprise customers. Please reach [**out to us**](https://calendly.com/nocodb) for early access. ::: This article briefs about the steps to configure Azure AD as Identity service provider for NocoDB ### NocoDB, Retrieve `Redirect URL` 1. Go to `Account Settings` 2. Select `Authentication (SSO)` 3. Click on `New Provider` button 4. On the Popup modal, Specify a `Display name` for the provider; note that, this name will be used to display the provider on the login page 5. Retrieve `Redirect URL`; this information will be required to be configured later with the Identity Provider ![OIDC SSO Configuration](/img/v2/account-settings/SSO-1.png) ![OIDC SSO Configuration](/img/v2/account-settings/OIDC-2.png) ![OIDC SSO Configuration](/img/v2/account-settings/OIDC-3.png) ### Azure AD, Configure NocoDB as an Application 1. Sign in to your [Azure account](https://portal.azure.com/#allservices) and navigate to `Azure Active Directory` under `Azure Services`. 2. Access `Manage Tenants` from the navigation bar, select your directory, and click `Switch`. 3. On your directory's homepage, click `+ Add` > `App Registration` from the navigation bar. 4. On the `Register an application` page, - Provide your application's name. - Set `Accounts in this organizational directory only` as the `Supported account types`. - Choose `Web` as the Application type - Add the `Redirect URL` under `Redirect URIs`. - `Register` 5. On your application's homepage, - Copy the `Application (client) ID` - Click `Add a certificate or secret` under `Client credentials` section - On `Certificates & secrets` page, go to `Client secrets` section - Click `New client secret` - On `Add a client secret` page, - Add a description for the secret - Set expiration as required - `Add` - Copy the `Value` of the newly created secret 6. On your application's homepage, - Go to `Endpoints` tab - Open `OpenID Connect metadata document` URL & copy `authorization_endpoint`, `token_endpoint`, `userinfo_endpoint` & `jwks_uri` from the JSON response 7. Configuring scopes - Go to `API permissions` tab - Click `Add a permission` - On `Request API permissions` page, - Select `Microsoft Graph` from `Microsoft APIs` - Select `Delegated permissions` - Select `openid` `profile` `email` `offline_access` from `Select permissions` dropdown - From `Users` dropdown, select `User.Read` - `Add permissions` - Click `Grant admin consent for this directory` from the `API permissions` page ### NocoDB, Configure Azure AD as an Identity Provider On NocoDB, open `Account Settings` > `Authentication` > `OIDC`. On the "Register OIDC Identity Provider" modal, insert the following information: - Insert `Application (client) ID` retrieved in step (7) above as `Client ID` - Insert `Value` of the newly created secret retrieved in step (7) above as `Client Secret` - Insert `authorization_endpoint` retrieved in step (8) above as `Authorization URL` - Insert `token_endpoint` retrieved in step (8) above as `Token URL` - Insert `userinfo_endpoint` retrieved in step (8) above as `Userinfo URL` - Insert `jwks_uri` retrieved in step (8) above as `JWK Set URL` - Set `Scope` as `openid` `profile` `email` `offline_access` For Sign-in's, user should be able to now see `Sign in with ` option. ![SAML SSO Configuration](/img/v2/account-settings/SSO-SignIn.png) :::note Post sign-out, refresh page (for the first time) if you do not see `Sign in with ` option ::: For information about Azure AD API Scopes, refer [here](https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-permissions-and-consent#offline_access)