Views:

Microsoft Entra ID Single Sign-On User Guide

Note: Microsoft renamed Azure Active Directory (Azure AD) to Microsoft Entra ID in 2023. The underlying functionality is the same, but the portal branding, navigation, and some menu labels have changed. This guide replaces the previous "Azure AD Single Sign-On User Guide" (KA-01239).

This guide contains instructions to enable Microsoft Entra ID SSO for your Enable LMS.

First, you will register your Enable LMS in the Microsoft Entra admin center at https://entra.microsoft.com. Then we will add your configuration details to the LMS. By the end of these steps, you will be able to provide us with the configuration details that allow us to tie Entra ID SSO to your Enable LMS.

Configuration details we require

  • Application (client) ID

  • Directory (tenant) ID

  • Client Secret

We also require a list of your users' details from within Entra ID, including:

  • Email address

  • OID (Object ID)

Important - user attribute requirements

Make sure the following details exist for all users you want to sync:

  • Email

  • First name

  • Last name

Users will not be synced with your LMS if any of these are missing.

Registering your Enable LMS with Microsoft Entra ID

1. Add an app registration

  1. Sign in to the Microsoft Entra admin center as a user with at least the Application Administrator or Cloud Application Administrator role.

  2. In the left-hand navigation, expand Entra ID and select App registrations.

  3. On the App registrations page, click + New registration in the top toolbar.

  4. Enter a sensible Name for the registration (for example, Enable LMS SSO).

  5. Under Supported account types, leave the default Accounts in this organizational directory only (Single tenant) selected unless you have a specific reason to change it.

     

    Screenshot 1 — App registrations landing page 

     

  6. Under Redirect URI:

    • Platform: Web

    • URL: https://mydomain.vc-enable.co.uk/Login/OAuth2Callback — replace mydomain with your Enable domain name; leave the rest unchanged.

  7. Click Register.

     

    Screenshot 2 — New app registration form 

You will then be taken to the registration Overview page.

 

Screenshot 3 — Registration Overview page

 

Make a note of the Application (client) ID and the Directory (tenant) ID. You will need to send these to Virtual College Support so that we can link the registration to your Enable LMS.

2. Add authentication URLs

  1. From the app's left-hand menu, select Authentication.

  2. You will see the Redirect URI you added in step 1.

  3. Go to the Settings tab and enter the Front-channel logout URL: https://mydomain.vc-enable.co.uk/Logout — replacing mydomain with your domain name.

  4. Leave all other options (implicit flow tokens, supported account types, etc.) at their defaults.

  5. Click Save.

     

    Screenshot 4 — Authentication blade 

3. Create a client secret

  1. In the app's left-hand menu, select Certificates & secrets.

  2. Make sure the Client secrets tab is selected.

  3. Click + New client secret.

  4. Enter a Description (for example, Enable LMS SSO secret).

  5. Choose an Expires value that suits you.

    Important: Your LMS SSO will stop working when the client secret expires. Set a calendar reminder so you can create a new secret and send it to Virtual College Support before it expires. Microsoft no longer allows secrets that never expire — the maximum is 24 months.

  6. Click Add. The page reloads and the new secret appears in the list.

  7. Copy the Value immediately. As soon as you leave this page the value is permanently obscured and cannot be retrieved — you would have to delete the secret and create another. This is the Client Secret referred to at the top of this guide.

Important: Copy the Value shown below, not the Secret ID.

 

Screenshot 5 — Client secret created (Value still visible) 

4. Add claims

  1. In the app's left-hand menu, select Token configuration.

  2. Click + Add optional claim.

  3. For Token type, select Access.

  4. From the list of claims, check email.

  5. Click Add.

     

    Screenshot 6 — Add optional claim (email) [Insert screenshot: the Add optional claim pane with Access selected and the email claim ticked.]

You may then be prompted with an additional option:

  • Check Turn on the Microsoft Graph email permission (required for claims to appear in token).

  • Click Add.

This is done so that we can uniquely identify users the first time they log in.

5. Expose an API

  1. In the app's left-hand menu, select Expose an API.

  2. Next to Application ID URI, click Add, accept the default (api://<client-id>), and click Save.

  3. Under Scopes defined by this API, click + Add a scope.

  4. Complete the Add a scope form:

    • Scope name: access_as_user

    • Who can consent?: Admins and users

    • Fill in the Admin consent display name and Admin consent description (these are mandatory).

    • State: Enabled

  5. Make a note of the Admin consent display name — you may be asked for it later.

  6. Click Add scope.

     

    Screenshot 7 — Add a scope (access_as_user)

6. Add permissions for the API

Next, add the permissions so that our application can read your directory and use the scope you just exposed.

6a. Microsoft Graph permissions

  1. In the app's left-hand menu, select API permissions.

  2. Click + Add a permission.

  3. Select Microsoft Graph.

  4. Select Application permissions.

  5. Search for and tick both:

    • Group.Read.All (Required for syncing users in groups to the LMS)

    • User.Read.All

  6. Click Add permissions.

  7. Back on the API permissions page, click Grant admin consent for <your directory name> and confirm with Yes.

     

    Screenshot 8 — Microsoft Graph Application permissions selected 

6b. Your own API permission

  1. Click + Add a permission again.

  2. Go to the APIs my organization uses tab and select your application (for example, Entra ID SSO Demo).

  3. Select Delegated permissions.

  4. Check access_as_user.

  5. Click Add permissions.

     

    Screenshot 9 — My APIs / access_as_user 

7. Post-migration checks (if moving from ADFS)

Ensure that the ADFS syncing tool has been stopped so that your ADFS users are no longer synced with Enable. Running both sync sources in parallel will cause duplicate or conflicting user records.

8. Send the details to Virtual College Support

Email Virtual College Support with:

  • Application (client) ID (from step 1)

  • Directory (tenant) ID (from step 1)

  • Client Secret value (from step 3)

We will then complete the configuration on the LMS side.

9. Important notes

  • Make sure all users have a first name, last name, and email address, otherwise they will not be synced with your LMS.

  • Set a reminder well before your client secret expires. When it expires, SSO will stop working until a new secret is issued and sent to Virtual College Support.

If there are any problems while adding the registration, please contact Virtual College Support.

Keywords: SSO, Entra ID, Microsoft Entra, Azure AD, Graph API

Keywords: SSO, Graph API