Safeguard.sh Documentation Center
SSO AuthenticationSAML 2.0

Microsoft Entra ID

Configure Microsoft Entra ID (formerly Azure AD) as a SAML 2.0 identity provider for Safeguard.

Microsoft Entra ID

  1. In the Microsoft Entra admin center, go to Enterprise applications → New application → Create your own application, choose "Integrate any other application you don't find in the gallery," and create it.
  2. Open the app, go to Single sign-on → SAML.
  3. Edit Basic SAML Configuration:
    • Identifier (Entity ID): the SP Entity ID Safeguard shows after Save
    • Reply URL (ACS URL): the ACS URL Safeguard shows after Save
  4. Set the Unique User Identifier (Name ID) to user.mail — Entra's out-of-box default is user.userprincipalname, which isn't always the same as the user's email address.
  5. Under Attributes & Claims, also add or rename a claim so its Name is exactly email, mapped to user.mail (required) — Entra's default claim set uses full claim-type URIs, not this short name, and Safeguard needs the literal email attribute separate from the Name ID above.
  6. Under SAML Certificates, copy the Login URL, Microsoft Entra Identifier (Entity ID), and download the Certificate (Base64), or copy the App Federation Metadata URL if you'd rather import metadata directly.
  7. In Safeguard, click Add Provider → SAML 2.0 → Microsoft Entra ID, and enter the Login URL, Entra Identifier, and certificate contents from step 6.
  8. Back in Entra, go to Users and groups and assign the users/groups who should have access.
  9. Click Test in Safeguard to confirm.

Common errors: an AADSTS50105 "user not assigned to a role" error means you skipped assigning users/groups in step 8. An AADSTS75011 reply URL mismatch means the Reply URL doesn't exactly match the Callback URL (check for a trailing slash). If you pasted individual values instead of importing the metadata URL, Entra's signing certificate rotates periodically — re-sync it in Safeguard when Entra warns about upcoming rotation.

On this page