Setting up Microsoft Entra SSO

Configure Microsoft Entra ID (formerly Azure AD) as your single sign-on provider — step-by-step admin guide.

Updated 2 Jun 2026

This is the admin guide for connecting Microsoft Entra ID (formerly Azure AD) to your Clment organisation. Once configured, your users sign into Clment with their work Microsoft account — no separate Clment password.

Prerequisites:

  • Pro or Enterprise plan (SSO isn’t available on Free).
  • An Entra ID admin role (Application Administrator or higher).
  • About 20 minutes.

Step 1: Register Clment as an app in Entra ID

In the Azure Portal → Microsoft Entra ID → App registrations → + New registration.

  • Name: Clment (or whatever you prefer; this is what users see at the consent prompt).

  • Supported account types: Accounts in this organizational directory only. (Choose multi-tenant if your team uses guest accounts from other tenants.)

  • Redirect URI: Web platform, value:

    • US region: https://identity.us.clment.com/auth/sso/microsoft/callback
    • EU region: https://identity.eu.clment.com/auth/sso/microsoft/callback
    • AU region: https://identity.au.clment.com/auth/sso/microsoft/callback

    Pick the region matching where your Clment org lives. (See Picking your data region if you’re not sure.)

  • Click Register.

Copy the Application (client) ID and the Directory (tenant) ID from the Overview page — you’ll need both.

Step 2: Create a client secret

Still in the registration → Certificates & secrets → + New client secret.

  • Description: Clment SSO.
  • Expires: 24 months is standard. Set a calendar reminder to rotate.
  • Click Add.

Copy the Value (not the ID) immediately — Entra shows it once and never again.

Step 3: Grant the API permissions

Still in the registration → API permissions → + Add a permission → Microsoft Graph → Delegated permissions.

Add these scopes:

  • openid
  • profile
  • email
  • User.Read

Click Add permissions. If your tenant requires admin consent for any of these, click Grant admin consent for .

Step 4: Configure in Clment

In Clment: Settings → Security → Single sign-on → Connect Microsoft Entra ID.

Paste in:

  • Tenant ID (from step 1).
  • Client ID (from step 1).
  • Client Secret (from step 2).

Click Save. Clment validates the credentials immediately by attempting a discovery against your tenant; you’ll see a green tick if successful.

Step 5: Test

The Test sign-in button on the SSO config page opens a fresh window and walks through the SSO flow. You should:

  1. Land on the Microsoft sign-in page.
  2. Enter your credentials.
  3. See the Clment consent screen (if first-time).
  4. Get redirected back to Clment, signed in.

If anything fails, the error page tells you what — most commonly a redirect URI mismatch (re-check step 1) or a missing scope (re-check step 3).

Step 6: Disable password sign-in (optional)

Once you’ve confirmed SSO works for everyone who needs access, you can lock down the org so password sign-in is no longer allowed:

Settings → Security → Allowed sign-in methods → uncheck Password, leave Microsoft ticked.

Effects:

  • Users who previously signed in with email + password are walked through Microsoft SSO on their next sign-in. (If they need their password back later — e.g. you re-enable password sign-in — they can reset it from the sign-in page.)
  • The email/password signup form is hidden for your org’s domain.
  • MCP custom connectors continue working — they use a separate token mechanism, not session passwords.

Restricting which Entra users can sign in

By default, any user in your Entra tenant can sign in to your Clment org once you’ve configured SSO. To restrict access to a specific group:

  • Entra-side: App registrations → → Properties → Assignment required → Yes. Then Enterprise applications → → Users and groups → Add user/group for the people who should have access.

When a non-assigned user attempts to sign in, Entra blocks the consent step and Clment never sees the request.

For Clment-side user management, invite each user via the Team page in the normal way (Inviting users and roles) — their email needs to match what Entra returns at sign-in time.

Rotating the client secret

When the client secret in Entra is approaching expiry:

  1. Create a new client secret in Entra (step 2 above) with a new expiry.
  2. Update Clment with the new secret (Settings → Security → Single sign-on → Edit).
  3. Click Save. Existing sessions aren’t affected — only the next sign-in uses the new secret.
  4. Once verified, delete the old secret from Entra.

See also

Still have questions?

Instant article search