Single Sign-On: Microsoft Entra

Moesif provides a single sign-on integration with Microsoft Entra.

In order to set up SSO with Microsoft Entra:

  • You must be an Microsoft Entra administrator
  • You must be on a Moesif enterprise plan with SSO enabled

Benefits of SSO

  • Improve security and regulatory compliance
  • Reduce IT costs through auto-provision and de-provisioning
  • Enforce policies like Multi-Factor Authentication (MFA), Password Reset, etc
  • Improve usability for employees

How SSO works

Moesif supports both identity-provider (IdP) initiated and service-provider (SP) initiated single sign-on. When IdP initiated, a user logs in through your IdP’s app directory. When SP initiated, a user logs in by entering their employee email on Moesif’s website. Because their email domain has SSO enabled, they will be redirected to your organization’s single sign-on page. Once enabled, team management and role-based access control (RBAC) is handled by your identity provider rather than within the Moesif application.

Home Realm Discovery

Moesif’s SSO implementation supports Home Realm Discovery. This means SSO is enforced for your entire company domain even if a new employee is not yet added to your Moesif organization. This ensures employees cannot bypass SSO such as by entering a username/password. It also reduces your IT burden as employees never have to decide on what type of login they should use as redirect is automatic as soon as they enter their email.

Policies

Once SSO is enabled:

  • Team members cannot log in with a username/password or social login (like GitHub).
  • Password reset is disabled.
  • Users can only be provisioned or de-provisioned by the IdP. You cannot modify team members within Moesif.
  • Role-based access control (RBAC) is synced from your identity provider and cannot be changed within Moesif.

Enterprise Single Sign-On is available only on enterprise plans

How to setup Microsoft Entra with Moesif

Step 1: Create a New Application in Microsoft Entra

Log in to Microsoft Entra:

  • Access your Microsoft Entra admin portal.
  • Navigate to App Registrations:
  • Go to Azure Active Directory > App registrations.

Register a New Application:

  • Click on New registration.
  • Enter a name for your application (e.g., “Moesif Integration”).
  • Set the Platform to Web.
  • Set the Redirect URI to https://auth.moesif.com/login/callback.
  • Click Register.
  • Make note of the Application (client) ID. Moesif will need this later.

Step 2: Configure Authentication

Set Authentication Settings:

  • In the newly created application, navigate to Authentication.
  • Add a platform by selecting Web.
  • Set the Redirect URI to https://auth.moesif.com/login/callback.
  • Enable ID tokens under Implicit grant and hybrid flows.
  • Click Save.

Step 3: Set Up API Permissions

Set API Permissions:

  • Navigate to API permissions from left panel.
  • Click Add a permission.
  • Select Microsoft Graph.
  • Choose Delegated permissions.
  • Add the following permissions:
    • openid
    • profile
    • email
  • Click Add permissions.

Grant Admin Consent:

  • Click Grant admin consent for [Your App Name].
  • Confirm the action.

Step 4: Configure Certificates & Secrets

Certificates & Secrets:

  • Navigate to Certificates & secrets.
  • Click New client secret.
  • Add a description (e.g., “Moesif Secret”).
  • Set an expiration period.
  • Click Add.
  • Copy the Value of the client secret. Make note for the Moesif team. You will need this later.

Step 5: Share with Moesif

Send an email to your customer success representative or to support@moesif.com with the following information:

  1. Your Application (client) ID
  2. Your Entra domain
  3. Your Client Secret

Step 6: Test the Integration

Test Authentication:

  • Navigate to your Moesif application.
  • Attempt to log in using Microsoft Entra credentials.
  • Ensure that the authentication flow completes successfully and that you are redirected back to Moesif.

Verify Data Flow:

  • Check Moesif to ensure that API call metrics and user data are being captured correctly.

Once enabled

Any employee logging in with your company’s domain will automatically be redirected to the single sign-on page where they can click log in. All team management and role-based access control actions is done through your identity provider. Moesif automatically syncs user accounts.

Disabling SSO

An organization can disable SSO at any time by contacting their technical account manager. Once disabled, existing team members who already had an account prior to SSO can log in with their password. New users who were provisioned through SSO can reset their password to log in.

Updated: