ContextQMD
Back to Firezone

SSO with Microsoft Entra ID

website/src/app/kb/authenticate/entra/readme.mdx

1.0.56.1 KB
Original Source

import Alert from "@/components/DocsAlert"; import PlanBadge from "@/components/PlanBadge"; import SupportOptions from "@/components/SupportOptions";

<PlanBadge plans={["starter", "team", "enterprise"]}>

SSO with Microsoft Entra ID

</PlanBadge>

Firezone supports authenticating users with Microsoft Entra ID using Firezone's public OAuth client. You can configure multiple Entra providers — one per tenant — to authenticate users from different organizations.

<Alert color="info"> Looking for directory sync? See the [Entra directory sync guide](/kb/directory-sync/entra) to automatically provision users and groups from Microsoft Entra ID. </Alert>

Enable Entra authentication

To enable Entra authentication:

  1. Go to Settings -> Authentication in your admin portal.
  2. Click Add Provider and select Entra.
  3. Name the provider — this is shown to users on the sign-in page.
  4. Select the authentication context:
    • Client Applications and Admin Portal: Users can sign in to both the Firezone client applications and admin portal using Entra SSO.
    • Client Applications Only: Users can sign in to the Firezone client applications using Entra SSO but not the admin portal.
    • Admin Portal Only: Users can sign in to the admin portal using Entra SSO but not the Firezone client applications.
  5. Portal session lifetime: (optional) Set a custom session lifetime for users signing in to the admin portal with Entra SSO. Leave blank to use the default session lifetime.
  6. Client session lifetime: (optional) Set a custom session lifetime for users signing in to the Firezone client applications with Entra SSO. Leave blank to use the default session lifetime.
  7. Click Verify Now to complete an authentication flow. This captures your Entra tenant ID — verify this is the correct tenant before proceeding.
  8. Click Save.

Users will now see this provider as an option on the Firezone sign-in page.

How it works

Firezone uses a public OAuth client to authenticate users with Microsoft Entra ID. When a user signs in:

  1. They're redirected to Microsoft's sign-in page.
  2. After authenticating with Microsoft, they're redirected back to Firezone.
  3. Firezone matches the user using the iss and sub claims from Entra. For users provisioned via directory sync, this identity already exists. For manually created users, Firezone matches by email on first sign-in and saves the Entra identity for subsequent sign-ins.

No app registration or client secret setup is required on your end.

Data accessed

Firezone requests the following scopes from Microsoft:

  • openid — Required for authentication
  • email — Used to match users on first sign-in
  • profile — Used for the user's display name
  • offline_access — Used to maintain the session

Firezone does not access your email, calendar, files, or any other Microsoft 365 data.

Multiple tenants

You can configure multiple Entra providers to authenticate users from different Microsoft tenants. Each provider is tied to a single tenant ID.

To add another tenant:

  1. Go to Settings -> Authentication in your admin portal.
  2. Click Add Provider and select Microsoft Entra.
  3. Enter the new tenant's Entra Tenant ID.
  4. Complete the setup as described above.

Users from each tenant will see a separate sign-in option on the Firezone sign-in page.

Restricting access to specific users or groups

Entra admins can control which users and groups are allowed to sign into Firezone by configuring user assignment on the Firezone Enterprise Application in your tenant.

To restrict access:

  1. Sign in to the Azure portal.
  2. Go to Microsoft Entra ID → Enterprise applications.
  3. Search for and select the Firezone application.
  4. Go to Users and groups.
  5. Click Add user/group to assign specific users or groups.
  6. Go to Properties and set Assignment required? to Yes.

With assignment required enabled, only users and groups explicitly assigned to the Firezone application will be able to sign in.

<Alert color="info"> On Enterprise plans, [directory sync](/kb/directory-sync/entra) group assignments are managed separately on the **Firezone Directory Sync** Enterprise Application. See the [Entra directory sync guide](/kb/directory-sync/entra) for details. </Alert> <Alert color="warning"> If you enable **Assignment required** without assigning any users or groups, all users in that tenant will be blocked from signing into Firezone. </Alert>

Provisioning users

Users must exist in Firezone before they can sign in with Entra. You can:

Troubleshooting

User not found

If a user sees a "user not found" or similar error when signing in, it means no matching user exists in Firezone. The user must be created manually or provisioned via directory sync before they can sign in.

Access denied by Entra admin

If a user sees "AADSTS50105" or "You cannot access this application", it means the Entra admin has enabled user assignment and the user is not assigned to the Firezone application. See Restricting access above.

Wrong tenant

If a user authenticates with a Microsoft account from a different tenant than the one configured, they'll see an error. Ensure the user is signing in with an account from the correct tenant, or add an additional Entra provider for their tenant.

Revoking access

Users can revoke Firezone's access to their Microsoft account from their Microsoft account security settings. Revoking access does not delete the user from Firezone or end their active sessions, but they will need to re-authorize on their next sign-in.

<SupportOptions />