1. Help Center
  2. Manage Users and Licensing

Set Up SSO with MS Entra ID

Simplify and secure user authentication by using SSO with Microsoft Entra ID (previously Azure Active Directory)

TopLeft supports Single Sign On (SSO) with Microsoft Entra ID (previously Azure Active Directory). Using SSO makes it easier and more secure to authenticate in TopLeft. Users have one less password to manage, and an organization's existing password and MFA policies are respected.

Whether or not SSO is used, TopLeft provisions user accounts based on the user accounts in the PSA. When logging in using SSO, users must use the email address on record in the PSA. If they try to log in using an email address different than the one on record in the PSA, the SSO authentication will pass but they will not be associated with an account, and will not be logged in.

Configuring TopLeft

To configure SSO in TopLeft:

  1. As an administrator, click the gear icon in the main menu.
  2. Under Users, click Single Sign On.
  3. Click Update Configuration. You are taken to TopLeft's administration site to supply the SSO configuration. Changes are applied to your application within a few minutes.

Registering the Entra ID App

To use SSO in TopLeft, set up an app registration in your Azure tenant.

  1. Log into the Microsoft Azure management portal. If you have multiple directories/tenants, select the correct one.
  2. Under Azure Services, click Microsoft Entra ID.
  3. Create a new app registration. In the left-hand menu, click App Registrations, then click New Registration.

    1. Complete the form as follows:
      1. Name: TopLeft
      2. Who can use this application or access this API? Accounts in this organizational directory only
      3. Redirect URI:
        1. Platform: Web
        2. URI: https://yoursubdomain.topleft.team/sso/complete/azuread-oauth2/
          Replace yoursubdomain with the subdomain of your TopLeft application.
    2. Click Register.
    3. Take note of the Application (client) ID. Submit this in TopLeft's configuration form.
  4. Create a secret TopLeft will use to authenticate with Entra ID. Click "Add a certificate or secret".

    1. Click New Client Secret.

      1. Complete the form:
        1. Description: TopLeft
        2. Expires: Choose your preferred duration. You will need to create a new secret when this one expires. Create a future reminder or recurring ticket for yourself to replace the secret and reconfigure TopLeft before this secret expires.
      2. Click Add.
      3. Take note of the value field. Submit this in TopLeft's configuration form. Be aware this is not the secret ID.
  5. Submit the Application (client) ID and Client Secret in the TopLeft configuration form. The TopLeft app will be reconfigured within a few minutes. The login screen will have a "Log in with Microsoft" button.
  6. Test SSO by logging in. If you're unable to approve TopLeft as an application due to limited Azure permissions, you can have an Azure administrator grant approval.

Disable 2FA Required Mode

When you enable SSO, we recommend ensuring TopLeft's 2FA required mode is disabled, because the SSO provider will have its own 2FA mechanism.