> ## Documentation Index
> Fetch the complete documentation index at: https://docs.getunblocked.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Microsoft Entra ID

> How to set up Microsoft Entra ID with Unblocked

Centralize your team's access to Unblocked by connecting it to Microsoft Entra ID.

## Configure Single Sign-On

Follow the steps below to configure single sign-on for Microsoft Entra ID.

<Steps>
  <Step title="Go to the Unblocked SSO Settings">
    Navigate to the **Settings** section of the Unblocked web app.
    Under Team Settings, select **Security**.
    Locate the Single Sign-On section and click **Configure**.

    <img src="https://mintcdn.com/unblocked/6EnUukZ0PqneZZya/img/sso/saml-unconfigured.png?fit=max&auto=format&n=6EnUukZ0PqneZZya&q=85&s=8a085ce78bd64c22e88430e6ded14685" alt="SSO Configuration" width="2880" height="1821" data-path="img/sso/saml-unconfigured.png" />
  </Step>

  <Step title="Create a Microsoft Entra ID Application">
    From your Microsoft Entra ID admin dashboard, navigate to the **Enterprise applications** tab.
    Click **New application**, then click **Create your own application** to create a new application using `SAML`.

    Enter "Unblocked" as the app name and click <b>Create</b>.

    <img src="https://mintcdn.com/unblocked/huIyMMrsU-cj3883/img/sso/entra/create.png?fit=max&auto=format&n=huIyMMrsU-cj3883&q=85&s=2fccca43f4f85821766a61f45c37946d" alt="Create your own application" width="2782" height="1824" data-path="img/sso/entra/create.png" />
  </Step>

  <Step title="Configure Basic SAML Configuration">
    Click **Set up single sign on** and select **SAML**.

    Enter the following values for the **Basic SAML Configuration**:

    * Identifier (Entity ID): copy value from Unblocked Single Sign-On settings
    * Reply URL (Assertion Consumer Service URL): copy value from Unblocked Single Sign-On settings

    Leave other fields blank.

    <img src="https://mintcdn.com/unblocked/huIyMMrsU-cj3883/img/sso/entra/saml.png?fit=max&auto=format&n=huIyMMrsU-cj3883&q=85&s=3a7cad765414c043ce26095eb879a542" alt="Microsoft Entra ID SAML Settings" width="2782" height="1824" data-path="img/sso/entra/saml.png" />
  </Step>

  <Step title="Configure Attributes & Claims">
    The default attribute and claim mappings are sufficient for Unblocked. It should look like this:

    <img src="https://mintcdn.com/unblocked/huIyMMrsU-cj3883/img/sso/entra/attributes.png?fit=max&auto=format&n=huIyMMrsU-cj3883&q=85&s=435b5a5dca6f917a6cc11577f4827cf3" alt="Microsoft Entra ID Attribute Mapping" width="2782" height="1824" data-path="img/sso/entra/attributes.png" />
  </Step>

  <Step title="Set up Unblocked">
    From the **SAML Certificate** section of your Microsoft Entra ID application,
    download the Base64 certificate and copy the contents of the downloaded file into the Certificate field in
    Unblocked.

    Then, copy the following two values from your new application into Unblocked:

    * `Login URL`
    * `Microsoft Entra Identifier`
  </Step>

  <Step title="Assign Users">
    Assign users and groups to your Microsoft Entra ID application to grant them access to Unblocked.
  </Step>
</Steps>

## User and Group Provisioning

Once you've configured SSO, you can enable user and group provisioning to automatically manage user access to Unblocked.
This feature allows you to automatically create, update, and deactivate users in Unblocked based on changes in Microsoft Entra ID.

To configure SCIM provisioning from Microsoft Entra ID to Unblocked, you'll need to set up provisioning in Microsoft Entra ID.

<Steps>
  <Step title="Generate SCIM API Token">
    In the Unblocked web app, navigate to the **Settings** section.
    Under Team Settings, select **Security**.
    Locate the SCIM User and Group Provisioning section and click **Configure**.

    <img src="https://mintcdn.com/unblocked/6EnUukZ0PqneZZya/img/scim/scim-unb-configure.png?fit=max&auto=format&n=6EnUukZ0PqneZZya&q=85&s=2f4c317ea748c63c6b2b9dbcf3806d31" alt="SCIM Configure" width="2880" height="1820" data-path="img/scim/scim-unb-configure.png" />

    Click **Add Token** to generate a new API token for SCIM provisioning. Copy both the new API token and the **Base URL**.

    <img src="https://mintcdn.com/unblocked/6EnUukZ0PqneZZya/img/scim/scim-unb-keys.png?fit=max&auto=format&n=6EnUukZ0PqneZZya&q=85&s=41595680248cb3c5444d1a748d4dae93" alt="Generate API Token" width="2880" height="1820" data-path="img/scim/scim-unb-keys.png" />
  </Step>

  <Step title="Navigate to Provisioning">
    From your Microsoft Entra ID admin dashboard, navigate to your previously created Unblocked Application.
    Select the **Provisioning** options from the **Manage** menu, or you can select the **Provision User Accounts** tile.

    <img src="https://mintcdn.com/unblocked/GS-c8rr-FQWhrU4y/img/scim/entra/scim-entra-start.png?fit=max&auto=format&n=GS-c8rr-FQWhrU4y&q=85&s=c6308d00200a4f95f3c09db5bb08573e" alt="Add application" width="2782" height="1824" data-path="img/scim/entra/scim-entra-start.png" />
  </Step>

  <Step title="Setup Provisioning">
    On the following page enter the following details:

    * Set the **Provisioning Mode** to **Automatic**.
    * Set the **Tenant URL** to the **Base URL** that you copied earlier from Unblocked.
    * Set the **Secret Token** to the API Token that you copied earlier from Unblocked.

    Click **Test Connection** to verify the connection, and then click **Save**.

    <img src="https://mintcdn.com/unblocked/GS-c8rr-FQWhrU4y/img/scim/entra/scim-entra-provisioning.png?fit=max&auto=format&n=GS-c8rr-FQWhrU4y&q=85&s=1a1232fd4e25a2539483601d7eefa73a" alt="Setup preference" width="2782" height="1824" data-path="img/scim/entra/scim-entra-provisioning.png" />
  </Step>

  <Step>
    On the Provisioning **Overview** page, click **Start Provisioning** to begin syncing users and groups from Microsoft Entra ID to Unblocked.
    This completes the setup for SCIM provisioning from Microsoft Entra ID to Unblocked.
  </Step>
</Steps>

## Enforce SSO

Once SSO is configured, you can enforce its use for your team.
This means all team members will be required to sign in using your SSO provider.

There are two enforcement options:

* **SSO Only**:
  Users will be required to sign in to Unblocked using SSO.
  You may need to sign in with SSO before enabling this option.

* **SSO, a Source Code System, or Slack**:
  Users can sign in using either SSO, their source code system (e.g., GitHub, Bitbucket, or GitLab), or Slack.

<img src="https://mintcdn.com/unblocked/6EnUukZ0PqneZZya/img/sso/enforce/sso-enforce-off-zoom.png?fit=max&auto=format&n=6EnUukZ0PqneZZya&q=85&s=2027f8e85edbc59c56fdc8a6894397e8" alt="SSO Enforcement Options" width="1748" height="1114" data-path="img/sso/enforce/sso-enforce-off-zoom.png" />

## Allowed Email Domains

Verifying a domain ensures that users who enter an email address from that domain on the Unblocked sign-in page are automatically directed to your SSO login.
This creates a seamless login experience and routes users through the correct authentication flow.

You can add multiple domains to enable SSO login detection for users with different email addresses.
To verify a domain:

<Steps>
  <Step title="Add Domain">
    Click **Add Domain** and enter the domain name you want to verify.
  </Step>

  <Step title="Verify Domain">
    Unblocked will prompt you to add a TXT record to your DNS settings to complete the verification.
  </Step>
</Steps>

Once the domain is verified, any user who enters an email address matching that domain on the Unblocked sign-in page will see the SSO login option for your SAML provider.

Verifying a domain only controls the visibility of the SSO login option and does not automatically grant access to
your Unblocked team. Access to Unblocked is still managed through user and group assignments in your identity provider (IdP).

## Download Unblocked Logo

To help your users easily recognize Unblocked in their identity provider dashboard,
download the Unblocked logo for use in your SSO application.

<img src="https://mintcdn.com/unblocked/soZi90zJ9_abJhu-/img/brand/unblocked-512x512.png?fit=max&auto=format&n=soZi90zJ9_abJhu-&q=85&s=1dddee26e2a67f4de23cb62f773c2319" alt="Unblocked Logo" width="50%" data-path="img/brand/unblocked-512x512.png" />