# Microsoft Entra ID Single Sign-On

{% hint style="info" %}
Once Microsoft Entra ID authentication has been enabled for your Swarmia organization, it's no longer possible for app users to authenticate using other methods
{% endhint %}

### Prerequisites

* A Microsoft Entra user with one of the following roles:
  * Privileged Role Administrator
  * Cloud Application Administrator
  * Application Administrator
  * Custom role that has [permission to grant permissions](https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/custom-consent-permissions) to applications 

### Admin consent

Admin consent is required to allow [user-delegated permissions](https://learn.microsoft.com/en-us/entra/identity-platform/permissions-consent-overview) and optionally to later enable [assignment required](https://learn.microsoft.com/en-us/entra/identity/enterprise-apps/application-properties#assignment-required) to let only specified users to log in. 

An Entra admin can consent using the URL below:

```
https://app.swarmia.com/microsoft/consent
```

Once an admin has consented users in the tenant will not need an admin's consent to sign in to Swarmia. 

### User-delegated permissions requested by Swarmia

<table><thead><tr><th width="169">Permission</th><th>Description</th></tr></thead><tbody><tr><td><a href="https://learn.microsoft.com/en-us/graph/permissions-reference#email">email</a></td><td>Allows Swarmia to read your users' primary email address</td></tr><tr><td><a href="https://learn.microsoft.com/en-us/graph/permissions-reference#offline_access">offline_access</a></td><td>Allows Swarmia to continue have read access to user profile without user reauthorizing</td></tr><tr><td><a href="https://learn.microsoft.com/en-us/graph/permissions-reference#openid">openid</a></td><td>Allows users to sign in to Swarmia</td></tr><tr><td><a href="https://learn.microsoft.com/en-us/graph/permissions-reference#profile">profile</a></td><td>Allows Swarmia to se your users' basic profile, e.g. display name</td></tr><tr><td><a href="https://learn.microsoft.com/en-us/graph/permissions-reference#userread">User.Read</a></td><td>Allows Swarmia to read basic company information of the signed-in user</td></tr></tbody></table>

### Sign up to Swarmia instance using Entra ID

After granting the admin consent, [sign up](https://app.swarmia.com/signup/) with Microsoft to create your Swarmia organization. This will set Microsoft Entra as authentication provider for your organization. By default, the whole Microsoft tenant has access to login your organization.&#x20;

### Configure the Microsoft Entra ID login to existing Swarmia organization

With Swarmia admin access, connect Microsoft Entra ID authentication for your organization.

{% hint style="info" %}
The installation will:

* verify that you have access to your organization's Microsoft Entra ID tenant
* enable the Microsoft Entra ID authentication for your organization
* expire all current GitHub-initiated sessions
* require you to log in again
  {% endhint %}

1. Navigate to the [Microsoft Entra ID settings page](https://app.swarmia.com/settings/authentication/entra)
2. Click *Connect Microsoft Entra ID*
3. Login back with Microsoft Entra ID by clicking *Sign in with Microsoft*