SSO setup — Microsoft Entra (OIDC)

4 min read · Updated 12 May 2026

Microsoft Entra ID (Azure AD) via OpenID Connect — cleaner than the SAML flow if you're configuring a fresh app. Takes about 8 minutes.

Step by step

1
Register an Entra application

In the Entra admin centre: Identity → Applications → App registrations → New registration. Name it WBSync. Account type: Accounts in this organisational directory only. Redirect URI: Web, value = WBSync's Redirect URI (visible on the OIDC pane of /settings/sso/).

2
Create a client secret

Open the new app, Certificates & secrets → New client secret. Give it a 24-month expiry, copy the Value immediately (you can't see it again).

3
Grant API permissions

API permissions → Add a permission → Microsoft Graph → Delegated permissions. Tick openid, profile, email. Click Grant admin consent.

4
Paste values into WBSync

On WBSync's OpenID Connect pane:

  • Issuer URL: https://login.microsoftonline.com/<tenant-id>/v2.0 (replace <tenant-id> with the Directory (tenant) ID from the app overview)
  • Client ID: the Application (client) ID from the app overview
  • Client secret: the value you copied in step 2
  • Scopes: leave as openid email profile

Set the Email domain in WBSync to your tenant's verified domain. Save.

5
Test, then enforce

Click Test connection. You'll round-trip through Microsoft and land back with a green badge. Tick "Enable SSO for this organisation" to make it live.

Frequently asked

Can the Owner still sign in if SSO breaks?

Yes. The Owner always retains password fallback at /accounts/login/, even with 'Require SSO for everyone except the Owner' switched on. This is the lockout escape — your IdP can go down and you still get back in to fix it.

What happens to existing users?

Their accounts are preserved. On their first SSO sign-in WBSync binds their IdP subject to the existing user row, so audit history, role and assignments carry over. If 'Require SSO for everyone except the Owner' is on (recommended), existing non-Owner users must be bound deliberately — see the JIT section.

What about new users? Do I have to invite them first?

No. JIT provisioning is on by default: the first time someone with your email domain signs in via the IdP, WBSync creates their account automatically with the role you picked on the SSO settings page (default: Foreman). You can change their role afterwards in the directory.

Is the OIDC client secret stored safely?

Yes — secrets are encrypted at rest with Fernet (AES-128-CBC + HMAC-SHA256), using the same key-rotation ceremony as our third-party clock-in integrations. The plain secret is never displayed back to you; paste a new one to rotate.

What does 'Test connection' actually do?

It runs a real round-trip with your IdP, but instead of signing you in it just records the outcome on the settings page. So you can sit in WBSync as the Owner, click the button, and watch the result land — without giving up your current session.

Related

Single Sign-On — overview
Single Sign-On · 3 min
SSO setup — Microsoft Entra (SAML)
Single Sign-On · 5 min