# Microsoft Entra ID Single Sign-On

{% hint style="info" %}
Once Microsoft Entra ID authentication has been enabled for your Swarmia organization, it's no longer possible for app users to authenticate using other methods
{% endhint %}

### Prerequisites

* A Microsoft Entra user with one of the following roles:
  * Privileged Role Administrator
  * Cloud Application Administrator
  * Application Administrator
  * Custom role that has [permission to grant permissions](https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/custom-consent-permissions) to applications

### Admin consent

Admin consent is required to allow [user-delegated permissions](https://learn.microsoft.com/en-us/entra/identity-platform/permissions-consent-overview) and optionally to later enable [assignment required](https://learn.microsoft.com/en-us/entra/identity/enterprise-apps/application-properties#assignment-required) to let only specified users to log in.

An Entra admin can consent using the URL below:

```
https://app.swarmia.com/microsoft/consent
```

Once an admin has consented users in the tenant will not need an admin's consent to sign in to Swarmia.

### User-delegated permissions requested by Swarmia

<table><thead><tr><th width="169">Permission</th><th>Description</th></tr></thead><tbody><tr><td><a href="https://learn.microsoft.com/en-us/graph/permissions-reference#email">email</a></td><td>Allows Swarmia to read your users' primary email address</td></tr><tr><td><a href="https://learn.microsoft.com/en-us/graph/permissions-reference#offline_access">offline_access</a></td><td>Allows Swarmia to continue have read access to user profile without user reauthorizing</td></tr><tr><td><a href="https://learn.microsoft.com/en-us/graph/permissions-reference#openid">openid</a></td><td>Allows users to sign in to Swarmia</td></tr><tr><td><a href="https://learn.microsoft.com/en-us/graph/permissions-reference#profile">profile</a></td><td>Allows Swarmia to se your users' basic profile, e.g. display name</td></tr><tr><td><a href="https://learn.microsoft.com/en-us/graph/permissions-reference#userread">User.Read</a></td><td>Allows Swarmia to read basic company information of the signed-in user</td></tr></tbody></table>

### Sign up to Swarmia instance using Entra ID

After granting the admin consent, [sign up](https://app.swarmia.com/signup/) with Microsoft to create your Swarmia organization. This will set Microsoft Entra as authentication provider for your organization. By default, the whole Microsoft tenant has access to login your organization.

### Configure the Microsoft Entra ID login to existing Swarmia organization

With Swarmia admin access, connect Microsoft Entra ID authentication for your organization.

{% hint style="info" %}
The installation will:

* verify that you have access to your organization's Microsoft Entra ID tenant
* enable the Microsoft Entra ID authentication for your organization
* expire all current GitHub-initiated sessions
* require you to log in again
  {% endhint %}

1. Navigate to the [Microsoft Entra ID settings page](https://app.swarmia.com/settings/authentication/entra)
2. Click *Connect Microsoft Entra ID*
3. Login back with Microsoft Entra ID by clicking *Sign in with Microsoft*


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://help.swarmia.com/settings/integrations/authentication/microsoft-entra-id-single-sign-on.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.