> ## Documentation Index
> Fetch the complete documentation index at: https://docs.datafold.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Microsoft Entra ID

> Configure Microsoft Entra ID (Azure AD) as a SAML identity provider for Datafold SSO. Step-by-step setup and configuration guide.

## Azure AD / Entra ID as a SAML Identity Provider

You can create an **Enterprise Application** and use that to configure access to Datafold. Click on **New application** and **Create your own application**.

<Frame>
  <img src="https://mintcdn.com/datafold/7pWtpSckJi2T0xZR/images/AzureEntraIDSAMLEnterpriseApp-ac80b4305fc06a4a80a45532d718710a.png?fit=max&auto=format&n=7pWtpSckJi2T0xZR&q=85&s=f046f4325a41d25294d72b72bc7e7f32" width="1724" height="1402" data-path="images/AzureEntraIDSAMLEnterpriseApp-ac80b4305fc06a4a80a45532d718710a.png" />
</Frame>

**Copy** the **App Federation Metadata Url**.

<Frame>
  <img src="https://mintcdn.com/datafold/7pWtpSckJi2T0xZR/images/AzureEntraIDSAMLEnterpriseAppInitialConfig-6d5935f0a7efeec4595856d5171c3182.png?fit=max&auto=format&n=7pWtpSckJi2T0xZR&q=85&s=c0e3cd95b03d1101df57c76076ad7b50" width="1334" height="1798" data-path="images/AzureEntraIDSAMLEnterpriseAppInitialConfig-6d5935f0a7efeec4595856d5171c3182.png" />
</Frame>

Go to `Datafold` and create a new SSO integration. Navigate to **Settings** → **Integrations** → **Add new Integration** → **SAML**.

Paste the **copied** URL into **Identity Provider Metadata URL**.

<Frame>
  <img src="https://mintcdn.com/datafold/9DgdnO4sVNte36u-/images/saml_create-3716c6fe01352ea69c647a7856adf189.png?fit=max&auto=format&n=9DgdnO4sVNte36u-&q=85&s=d664571269b205f66ed0bfb051107a91" width="2088" height="1452" data-path="images/saml_create-3716c6fe01352ea69c647a7856adf189.png" />
</Frame>

Go to `Azure` and edit the **Basic SAML Configuration** in your Enterprise App.

Copy from Datafold the read-only field **Service Provider ACS URL** and paste it into **Reply URL**.

Copy from Datafold the read-only field **Service Provider Entity ID** and paste it into **Identifier**.

<Frame>
  <img src="https://mintcdn.com/datafold/7pWtpSckJi2T0xZR/images/AzureEntraIDSAMLEnterpriseAppSAMLConfig-f04cd556cd232163a85a3ff2e47e5e7e.png?fit=max&auto=format&n=7pWtpSckJi2T0xZR&q=85&s=914fa717d4ab2ed87ffc04a67c99cf0e" width="1204" height="1468" data-path="images/AzureEntraIDSAMLEnterpriseAppSAMLConfig-f04cd556cd232163a85a3ff2e47e5e7e.png" />
</Frame>

Go to `Datafold` and click **Save** to create the SAML integration.

Next, edit the **Attributes & Claims**. By default, the **Unique User Identifier** is already correctly set to `user.userprincipalname`. If you have multiple domains (i.e., `@datafold.com` and `@datafoldonmicrosoft.com`), please make sure this maps correctly to the email addresses of the users in Datafold.

(Optional step) Add two attributes: `first_name` and `last_name`.

<Frame>
  <img src="https://mintcdn.com/datafold/7pWtpSckJi2T0xZR/images/AzureEntraIDSAMLEnterpriseAppSAMLAttribute-99692a9fa1d102a1eaa818d36c6b812e.png?fit=max&auto=format&n=7pWtpSckJi2T0xZR&q=85&s=0e1e60e7e3feeff95983c959da115188" width="1146" height="682" data-path="images/AzureEntraIDSAMLEnterpriseAppSAMLAttribute-99692a9fa1d102a1eaa818d36c6b812e.png" />
</Frame>

Finally, edit the **SAML Certificates**. Set the signing option to **Sign SAML response and assertion**.

<Frame>
  <img src="https://mintcdn.com/datafold/7pWtpSckJi2T0xZR/images/AzureEntraIDSAMLEnterpriseAppCertificates-c4582a0cf51f8dcdae03013810278e00.png?fit=max&auto=format&n=7pWtpSckJi2T0xZR&q=85&s=8fd247f9d4d784561868cf9359a16d6f" width="1338" height="602" data-path="images/AzureEntraIDSAMLEnterpriseAppCertificates-c4582a0cf51f8dcdae03013810278e00.png" />
</Frame>

After you made sure you are added as a user to the Enterprise Application, log out from Datafold. Click on **Test** under **Test single sign-on with DatafoldSSO**.

## Synchronize user with Datafold \[Optional]

This step is essential if you want to ensure that users from your organization are disabled if they are no longer assigned to the configured Microsoft Entra App.

1. Navigate to App registrations → API permissions.
2. Add the following permissions: `Group.Read.All` and `User.ReadBasic.All`.
   2.1 Click `Add a permission`.
   2.2 Select Microsoft Graph.

<Frame>
  <img src="https://mintcdn.com/datafold/7pWtpSckJi2T0xZR/images/1-e2efd77a0267ffe5f9fb14ef6be44c1f.png?fit=max&auto=format&n=7pWtpSckJi2T0xZR&q=85&s=a720a15fa9d640f9391f8fab7c9211c0" width="1480" height="866" data-path="images/1-e2efd77a0267ffe5f9fb14ef6be44c1f.png" />
</Frame>

2.3 Select application permissions and add the required permissions.

<Frame>
  <img src="https://mintcdn.com/datafold/7pWtpSckJi2T0xZR/images/2-00a764fe8abf4ef520abeaf7ae07d49e.png?fit=max&auto=format&n=7pWtpSckJi2T0xZR&q=85&s=13b9a24078632afb55d8c665f4e40f1f" width="1514" height="834" data-path="images/2-00a764fe8abf4ef520abeaf7ae07d49e.png" />

  <img src="https://mintcdn.com/datafold/7pWtpSckJi2T0xZR/images/3-eadbef3fd2f9c1d0326ed8a9721c16c2.png?fit=max&auto=format&n=7pWtpSckJi2T0xZR&q=85&s=fd83b4f6265f71cc3ca338d47104ada1" width="1506" height="398" data-path="images/3-eadbef3fd2f9c1d0326ed8a9721c16c2.png" />
</Frame>

3. Grant admin consent.

<Frame>
  <img src="https://mintcdn.com/datafold/7pWtpSckJi2T0xZR/images/4-40f90f212a27572e669806bc36325bc7.png?fit=max&auto=format&n=7pWtpSckJi2T0xZR&q=85&s=fb0aa1f158f2aec6d6f4a1b3a081c20f" width="1580" height="784" data-path="images/4-40f90f212a27572e669806bc36325bc7.png" />
</Frame>

4. You should now see a <Icon icon="square-check" /> next to the permissions.

<Frame>
  <img src="https://mintcdn.com/datafold/7pWtpSckJi2T0xZR/images/5-257e23569930de31a6168ac10aaf5bf3.png?fit=max&auto=format&n=7pWtpSckJi2T0xZR&q=85&s=f28ea21f758290a2876d69fa51dc2da7" width="1544" height="482" data-path="images/5-257e23569930de31a6168ac10aaf5bf3.png" />
</Frame>

5. Generate a secret so that Datafold can interact with the API.
   5.1 Click `Certificates & secrets`.

<Frame>
  <img src="https://mintcdn.com/datafold/7pWtpSckJi2T0xZR/images/6-015ef3a0d51e4ee205d6bd5d5c888e8d.png?fit=max&auto=format&n=7pWtpSckJi2T0xZR&q=85&s=53b9bd989e8c0fabbe436dfd3464a1c1" width="2044" height="446" data-path="images/6-015ef3a0d51e4ee205d6bd5d5c888e8d.png" />
</Frame>

5.2 Click `New client secret`.
5.3 Type in a description and click `Add`.

<Frame>
  <img src="https://mintcdn.com/datafold/7pWtpSckJi2T0xZR/images/7-a95118698bae900f1620b47905433fc4.png?fit=max&auto=format&n=7pWtpSckJi2T0xZR&q=85&s=552b5f52d806aa8b90681cc449584711" width="1042" height="478" data-path="images/7-a95118698bae900f1620b47905433fc4.png" />
</Frame>

6. Go to `Datafold` and navigate to **Settings** → **Integrations** → **SSO** → **Add new Integration** and select the Microsoft Entra ID Logo.

<Frame>
  <img src="https://mintcdn.com/datafold/7pWtpSckJi2T0xZR/images/8-bfcf9d1f0679293415dad2a9b7c5ef6c.png?fit=max&auto=format&n=7pWtpSckJi2T0xZR&q=85&s=53e7d8df3ed9743261d59ffb842bd934" width="2072" height="622" data-path="images/8-bfcf9d1f0679293415dad2a9b7c5ef6c.png" />
</Frame>

7. Paste in the four required fields:<br />
   7.1 Tenant ID - [you can find this in the overview page](https://learn.microsoft.com/en-us/entra/fundamentals/how-to-find-tenant)<br />
   7.2 Navigate to the application overview<br />
   7.3 Copy Application ID and paste it into Client Id<br />
   7.4 Copy the secret we created in the previous steps and paste it into Client Secret<br />
   7.5 Navigate to the enterprise application and copy Object ID and paste it into Principal Id.<br />
   7.6 Click **Save** to create the integration.<br />

If the update is successful, it means that the integration is valid. Users that do not have access to the configured application will be disabled and logged out in at most one hour.