Setting up Microsoft Entra SSO

Use Microsoft Entra ID (formerly Azure AD) as your single sign-on provider. You register the app; the Clment team enables it for your organisation.

Updated 29 Jun 2026

This is the admin guide for connecting Microsoft Entra ID (formerly Azure AD) to your Clment organisation. Once configured, your users sign into Clment with their work Microsoft account — no separate Clment password.

SSO is enabled with help from the Clment team. You register the app in Entra (below), then we configure and switch it on for your organisation — there’s no self-service SSO screen in the app. To get started, contact support@clment.com and we’ll coordinate the setup, including a secure handover of the credentials.

Prerequisites:

  • An Entra ID admin role (Application Administrator or higher).
  • About 20 minutes to register the app.

Step 1: Register Clment as an app in Entra ID

In the Azure Portal → Microsoft Entra ID → App registrations → + New registration.

  • Name: Clment (or whatever you prefer; this is what users see at the consent prompt).

  • Supported account types: Accounts in this organizational directory only. (Choose multi-tenant if your team uses guest accounts from other tenants.)

  • Redirect URI: Web platform, value:

    • US region: https://identity.us.clment.com/auth/sso/microsoft/callback
    • EU region: https://identity.eu.clment.com/auth/sso/microsoft/callback
    • AU region: https://identity.au.clment.com/auth/sso/microsoft/callback

    Pick the region matching where your Clment org lives. (See Picking your data region if you’re not sure.)

  • Click Register.

Copy the Application (client) ID and the Directory (tenant) ID from the Overview page — you’ll need both.

Step 2: Create a client secret

Still in the registration → Certificates & secrets → + New client secret.

  • Description: Clment SSO.
  • Expires: 24 months is standard. Set a calendar reminder to rotate.
  • Click Add.

Copy the Value (not the ID) immediately — Entra shows it once and never again.

Step 3: Grant the API permissions

Still in the registration → API permissions → + Add a permission → Microsoft Graph → Delegated permissions.

Add these scopes:

  • openid
  • profile
  • email
  • User.Read

Click Add permissions. If your tenant requires admin consent for any of these, click Grant admin consent for .

Step 4: Send the details to Clment

There’s no in-app SSO form. Instead, contact support@clment.com with:

  • Your Tenant ID and Client ID (from step 1).
  • Your Clment org’s region (so we apply the right callback URL).

We’ll arrange a secure way to receive the Client Secret (don’t email it), then configure the connection and validate discovery against your tenant.

Step 5: Confirm it works

Once we’ve configured the connection, we’ll run a test sign-in with you. A successful flow looks like:

  1. Land on the Microsoft sign-in page.
  2. Enter your credentials.
  3. See the Clment consent screen (if first-time).
  4. Get redirected back to Clment, signed in.

If anything fails, it’s most commonly a redirect-URI mismatch (re-check step 1) or a missing scope (re-check step 3).

Step 6: Disable password sign-in (optional)

Once SSO works for everyone who needs access, you can ask us to make it the only sign-in method for your org. Effects:

  • Users who previously signed in with email + password are walked through Microsoft SSO on their next sign-in. (If you re-enable password sign-in later, they can reset their password from the sign-in page.)
  • Email/password sign-in is turned off for your org.
  • MCP custom connectors continue working — they use a separate token mechanism, not session passwords.

Restricting which Entra users can sign in

By default, any user in your Entra tenant can sign in to your Clment org once you’ve configured SSO. To restrict access to a specific group:

  • Entra-side: App registrations → → Properties → Assignment required → Yes. Then Enterprise applications → → Users and groups → Add user/group for the people who should have access.

When a non-assigned user attempts to sign in, Entra blocks the consent step and Clment never sees the request.

For Clment-side user management, invite each user via the Team page in the normal way (Inviting users and roles) — their email needs to match what Entra returns at sign-in time.

Rotating the client secret

When the client secret in Entra is approaching expiry:

  1. Create a new client secret in Entra (step 2 above) with a new expiry.
  2. Send the new secret to Clment via the secure channel from setup so we can update the connection.
  3. We swap it in — existing sessions aren’t affected; only the next sign-in uses the new secret.
  4. Once verified, delete the old secret from Entra.

See also

Still have questions?

Instant article search