# Azure

Pritunl supports single sign-on with Azure Entra ID. Azure Entra *Security* and *Office 365* groups will be matched to existing organizations.

### Create Microsoft Entra Application

Open the [**Microsoft Entra admin center**](https://entra.microsoft.com/) by selecting it from the Azure portal or by going to [**entra.microsoft.com**](https://entra.microsoft.com/) .

From the left panel select *Applications* then *Enterprise applications*.

![](https://1783284711-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FhDA4eusSNQcv5QfappvI%2Fuploads%2FkfdnIstxl1rM78UGXBo1%2Fentra_sso1.png?alt=media\&token=45fa158f-19df-4f16-89a1-694469016373)

Click *New application* then *Create your own application*. Set the *Name* to `Pritunl` then select *Register an application to integrate with Microsoft Entra ID (App you're developing)*. Then click *Create*.

![](https://1783284711-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FhDA4eusSNQcv5QfappvI%2Fuploads%2FVGFSAFi0yXofU6HL3Vtn%2Fentra_sso2.png?alt=media\&token=ca91d502-d0ac-4e2f-bf47-f53a5017d4a7)

On the application registration set *Supported account types* to *Accounts in this organizational directory only (Pritunl only - Single tenant)*. Then set *Redirect URI (optional)* to *Web* and enter `https://auth.pritunl.com/callback/azure`. Then click *Register*. **It is very important that the&#x20;*****Supported account types*****&#x20;option is configured correctly. If this were not set to a single tenant any user with a Microsoft account could access the Pritunl server. If a multi tenant configuration is required the&#x20;*****Assignment required*****&#x20;option described below must also be used to control what external organizations can access the application.**

![](https://1783284711-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FhDA4eusSNQcv5QfappvI%2Fuploads%2Fx5FiE83gOK7IPdPJDWve%2Fentra_sso3.png?alt=media\&token=705809b2-e132-485e-8b8c-c39d27dd22d4)

From the left panel select *Applications* then *App registrations*. Then click *All applications* and open the Pritunl application.

![](https://1783284711-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FhDA4eusSNQcv5QfappvI%2Fuploads%2FW8Y5V0KTx3lgaVET2gEW%2Fentra_sso4.png?alt=media\&token=e1b84a77-79fd-4673-9b4b-e093b5d41a80)

Open *Branding and Properties* and upload the [**Pritunl Logo**](https://pritunl.com/img/logo.png). Set the *Home page URL* to the URL of your Pritunl server. Then click *Save*.

![](https://1783284711-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FhDA4eusSNQcv5QfappvI%2Fuploads%2F28Gftkcb7f4ZMkOqIT1m%2Fentra_sso5.png?alt=media\&token=e6c7895d-9411-4de6-9034-17d5e52b629f)

Open the *Authentication* tab and set *Implicit grant and hybrid flows* to *Access tokens (used for implicit flows)*. Then click *Save*.

![](https://1783284711-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FhDA4eusSNQcv5QfappvI%2Fuploads%2FLXdQuh0r0Rq3jrT9Rooe%2Fentra_sso6.png?alt=media\&token=2155ca08-8efb-42e4-ac79-632c5da3009a)

Open *API permissions* and click *Add a permission*. Then click ***Microsoft Graph*** and select ***Delegated permissions***. Search for `User.Read` and select *User.Read*.

![](https://1783284711-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FhDA4eusSNQcv5QfappvI%2Fuploads%2FompPHFwnAdU2PRHcEaku%2Fentra_sso7.png?alt=media\&token=e5315933-12e4-46dd-bad7-acc329a4553e)

Next search for `Group.Read` and select *Group.Read.All*.

![](https://1783284711-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FhDA4eusSNQcv5QfappvI%2Fuploads%2F1UrTd3wLNkUrlr2GQ5qd%2Fentra_sso8.png?alt=media\&token=698dcb5a-9b26-4cf6-a1ec-51a9ca3848b9)

Next search for `offline_access` and select `offline_access`. Then click *Add permissions*

![](https://1783284711-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FhDA4eusSNQcv5QfappvI%2Fuploads%2F4CKEYJ1ypH3xgCQ2vSAE%2Fentra_sso16.png?alt=media\&token=a2e2f613-6885-4f28-8600-549db51e9c5b)

Next click *Add a permission*. Then click ***Microsoft Graph*** and select ***Application permissions***. Search for `Directory.Read` and select *Directory.Read.All*. Then click *Add permissions*. This gives the Pritunl server access to lookup the Azure users groups for group to organization matching.

![](https://1783284711-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FhDA4eusSNQcv5QfappvI%2Fuploads%2F1qDDJm9BWdnd9fTsZbAn%2Fentra_sso9.png?alt=media\&token=6659eefd-1a0b-4cb9-9897-fe4153eea78e)

From the *API permissions* panel the permissions shown below should all be listed. After confirming this click *Grant admin consent for Pritunl*.

![](https://1783284711-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FhDA4eusSNQcv5QfappvI%2Fuploads%2FHrrPqNScCZ1xhcjhSObY%2Fentra_sso10.png?alt=media\&token=1060fab9-905f-4d87-bac7-b6b082010f96)

After this all permissions should have the status shown below.

![](https://1783284711-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FhDA4eusSNQcv5QfappvI%2Fuploads%2FT5aeKySmLvs9KbykLqmP%2Fentra_sso11.png?alt=media\&token=08e2e498-ced2-45ba-99ce-0868297312eb)

Open *Certificates & secrets* and click *New client secret*. Then set the *Description* to `Pritunl` and set *Expires* to the maximum value available. Once done click *Add*.

![](https://1783284711-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FhDA4eusSNQcv5QfappvI%2Fuploads%2FvY6htK745fYynMbr3uy2%2Fentra_sso12.png?alt=media\&token=5a02dbb4-2156-47e4-a901-d526338696ed)

On the *Certificates & secrets* page copy the *Value* from the list of secrets. **The&#x20;*****Secret ID*****&#x20;is not relevant and should not be copied.** Save this value and label it **Azure Application Secret** for the steps below.

![](https://1783284711-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FhDA4eusSNQcv5QfappvI%2Fuploads%2FxnL4vu70eWlUIXLXXblj%2Fentra_sso13.png?alt=media\&token=700cb006-4a7e-4826-b26a-2e247e15b381)

### Entra App Permissions

From the [**Azure Portal**](https://portal.azure.com) open *Microsoft Entra ID* then from the sidebar select *Manage* then *Enterprise applications*. This should display a list of the enterprise applications. This section is different from the previous *App registrations* section and contains different options.

![](https://1783284711-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FhDA4eusSNQcv5QfappvI%2Fuploads%2FKxPTpXaVmcRnTRkU9qP8%2Fentra_sso17.png?alt=media\&token=b8ccd4f0-b102-4d37-8ecf-60941f5e0176)

Select the *Pritunl* application to open the application management. This section will allow controlling access to the application and adding users. From the sidebar select *Manage* then *Properties*. This will display the *Assignment required* option. By default all users in the Azure organization will be able to access the Pritunl server. Turning assignment required on will require that users or a users group are manually added to the application from this management console. It is recommended to use this option for more secure and controlled access to the Pritunl server. Once done click *Save* at the top.

![](https://1783284711-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FhDA4eusSNQcv5QfappvI%2Fuploads%2Fka69tVszsueQo1ZWxv70%2Fentra_sso18.png?alt=media\&token=28efe236-73f7-4ba8-adad-6046823047ec)

Next from the sidebar select *Security* then *Permissions* and click *Grant admin consent for Pritunl*. Then complete the prompts to approve the permissions.

### Configure Pritunl

Open the *Overview* of the *Pritunl* app in *App registrations*. Copy the *Directory (tenant) ID*, and *Application (client) ID* for the configuration below.

![](https://1783284711-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FhDA4eusSNQcv5QfappvI%2Fuploads%2Fsi9kW9S557BhqyFbFhxU%2Fentra_sso14.png?alt=media\&token=f5d45ab4-b3a7-4092-8611-ade95812fd98)

Open the *Settings* in the Pritunl web console and set *Single Sign-On* to *Azure*. Then set *Azure Region* to *Global (OAuth v2)* and *Azure API Version* to *Microsoft Graph*. Copy the *Directory ID* and *Application ID* from the steps above. Then copy the Azure key value from the earlier steps into *Application Secret*. When users sign in the Pritunl server will attempt to match one of the users Azure groups to a case sensitive name of an existing organization. This allows grouping users in Pritunl by their Azure groups. The *Default Single Sign-On Organization* will be used if none of the Azure groups match an existing Pritunl organization.

![](https://1783284711-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FhDA4eusSNQcv5QfappvI%2Fuploads%2FwibnJ7e3JKLkmsUdcLbS%2Fentra_sso15.png?alt=media\&token=c08a1464-e750-40bf-bc32-78b5e41ccacf)

### Azure Permission Issues

Adjustments to the **Azure consent and permissions** may be needed if error messages about admin approval required are shown. Refer to the Azure [**configure how users consent to applications**](https://learn.microsoft.com/en-us/entra/identity/enterprise-apps/configure-user-consent) documentation for more information.