Skip to content
English
More support Sign in
Contact us
  • There are no suggestions because the search field is empty.

Setting up SSO with Microsoft Entra ID

With Single Sign-On (SSO), your colleagues sign in to KYP using their existing Microsoft account. This article explains how to set up SSO on your side.

Before you start

You need administrator rights in Microsoft Entra ID (formerly Azure AD). You will need a Redirect URI.

→ Apply for Redirect-URI

Step 1. Create an app registration in Azure

  1. Sign in to the Azure Portal.
  2. Open Microsoft Entra ID.
  3. In the sidebar, click App registrations under Manage.

    sso9
    • Limit users to Accounts in this organizational directory only
    • Choose Web as the platform
    • For Redirect URI, use the URI we supplied

      Create a new registration for KYP SSO:

Step 2. Copy the Metadata Document Endpoint

  1. After registering, open Endpoints.
  2. Copy the OpenID Connect Metadata Document and save it.
  3. Close the Endpoints overview.


Step 3. Copy the Application (Client) ID

Copy the Application (client) ID from the registration and save it.




Step 4. Create a Client Secret

  1. In the app registration, go to ManageCertificates & secrets.
  2. Select New client secret.
  3. Set a clear description and choose the recommended expiration.
  4. Click Add and copy the resulting secret value.

    sso5-1
  5. Save the secret value.



Step 5. Configure API permissions

  1. Go to ManageAPI permissions.
  2. Click Add a permissionMicrosoft GraphDelegated permissions.
  3. Add the following permissions: openid, profile, email, offline_access, and GroupMember.Read.All. All of these are required for group syncing.
  4. Click Add permissions.
  5. Then click Grant admin consent for the User.Read permission, so the application is authorized to call APIs related to "sign-in and read user profile".

Step 6. Configure the token

  1. Within the registered application, go to ManageToken configuration.
  2. Click Add groups claim.
  3. Select Security groups in the Select group types to include in Access, ID, and SAML tokens menu.
  4. Under Customize token properties by type, only select Group ID for ID/Access/SAML.
  5. Do not tick Emit groups as role claims.

Step 7. Share the information securely with KYP

  1. Go to OneTimeSecret to share this information securely with us: https://eu.onetimesecret.com

    image-png-May-07-2026-12-17-02-0093-PM
  2. Label and share the information from the previous steps. Set the expiration to 7 days. If you set a passphrase, share it with us as well.
  3. Include any additional information that may be useful for us, such as the email domains that should be routed to this identity provider and your organization's name.
  4. Click Create Link and send this link to us by email. Once the link is opened, the information will become inaccessible. This way we can guarantee that no third party has viewed it.