Configuring SAML for Microsoft Entra ID (Azure ID)

This describes how you can set up SAML with Microsoft Entra ID. Microsoft renamed Azure Active Directory (Azure AD) to Entra ID. If you are currently using Azure AD in your organization, you can continue to use the service without interruption.

Prerequisites: You have the required administrative permissions to configure SAML support in the Automox console and in the Microsoft management service.

The following topics are described here:

Automox Configure SAML Window

To complete this procedure, you must log in to the Automox console and have the information available from the Configure SAML window. Refer to Security: SAML-based Single Sign-on (SSO) for details about accessing the Security > SAML data.

Setting Up SAML with Microsoft Admin Center

In the Microsoft admin center, you must configure an Enterprise Application (Automox) and enable users for it. Refer to the Microsoft documentation for the most up-to-date version of the process. The basic outline is described here:

Log in to the Microsoft admin center

Note: We refer to Microsoft in general for Microsoft Entra ID or Azure AD.

  1. Go to Enterprise applications. See also:  https://learn.microsoft.com/en-us/entra/identity/enterprise-apps/add-application-portal.

  2. Click New Application.

  3. Click Create your own application.

  4. Enter a name for your app.

    • Under “What are you planning to do with your application”, select Integrate any other application you don’t find in the gallery (Non-gallery).

    • Click Create.

  5. Go to Manage > Single sign-on and select SAML

  6. Under Basic SAML Configuration, click Edit. Now refer to your Automox console:

    • From the Automox > Configure SAML window, copy and paste these entries into the Microsoft Basic SAML Configuration. Remember to modify the URL to point to your org:

      • Automox Entity ID → Identifier (Entity ID)

      • Automox ACS URL → Reply URL (Assertion Consumer Service URL)

      • Automox Dashboard URL including org id → Relay State. For example: https://console.automox.com/dashboard?o=<Your Org ID>

    • Click Save. Close this configuration window.

  7. In Microsoft, go to SAML Certificates and download the Certificate (Base64)

    • Open the certificate using a basic text editor and copy the certificate (excluding any trailing blank lines). This is known as x509 for the next step.

    • Go to the Automox > Configure SAML window and paste into the x509 field.

  8. In Microsoft, scroll to Set up Automox (where “Automox” is whatever you named your Enterprise Application in Microsoft). Refer to this page to configure SAML in Automox.

    • Copy and paste the following from Microsoft to the Automox Configure SAML window:

      • Login URL → Login URL

      • Microsoft Entra Identifier → Entity ID

      • Logout URL → Logout URL

    • Select (Optional) Provision New Users. (Note: This setting is recommended to make it easier to add users who are new to Automox.)

    • Switch on Enable SAML for users of the zone. (This is at the top of the Automox Configure SAML window.)

    • Save the SAML configuration in Automox.

    • Logout of Automox.

  9. Enable Automox (your Enterprise App) to be seen in the users app launcher (https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/access-panel-collections)

    • Microsoft → Manage, click User Settings.

    • “User feature previews” section → click Manage user feature preview settings

    • “Users can use preview features for My Apps” → select “All”.

  10. You can enable users to access Automox from within Microsoft. 

    • Go to Manage → Enterprise Applications → Automox (or whatever you called your enterprise app).

    • In the Getting Started section, click Assign users and groups.

    • + Add user/group. 

    • Select and assign the user(s). Use the search to find users, as needed.

  11. The newly displayed user can access Automox with this same email address by going to My Apps in Microsoft 365. Select the new enterprise app (Automox) tile.

User Provisioning

To automatically provision a user, select the (Optional) Provision New users checkbox in the Automox Configure SAML window. Then do as follows:

Manual Provisioning

To manually provision a user with SAML/SSO enabled, follow these steps in Automox: 

  1. Navigate to the Global Users management page (Manage Zones and Users button underneath the Org selection tab). 

  2. Click Users, then click Add User. Enter the same email address that is associated with the user account that you added to the Enterprise Application on the Microsoft side. 

  3. Once you add the user, an invitation email is sent to the address for the user to authorize their account. 

After that is completed, the user will be able to log in through console.automox.com with their email address; this will forward them to Microsoft for authentication. Users can also log in to the console with the tile from the My Apps page in Microsoft.

Note: When provisioning users, the user is created in Automox as a Read-Only user. The global administrator or zone administrator can adjust the role for the newly-created users by going to Setup & Configuration → Users.

Related Topics

Was this article helpful?
1 out of 3 found this helpful