Setting Up Single Sign-On
This guide walks you through connecting Adcyma to your Microsoft Entra ID tenant for Single Sign-On (SSO). Once set up, users log in with their Microsoft credentials and Adcyma picks up your Entra ID security policies like MFA and conditional access automatically.
Recommended
SSO is the recommended way to sign in to Adcyma. Magic Links stay available as a fallback but are disabled while SSO is on.
Prerequisites
- An active Microsoft Entra ID tenant (Microsoft 365 or standalone)
- Application Administrator role in Entra ID to create app registrations and grant admin consent
- Administrator access in Adcyma to configure identity provider settings
Step 1: Create an App Registration
If you have not done this yet, follow the App Registration setup guide to create the application in Entra ID and generate a client secret. You will need the Tenant ID, Application (Client) ID, and Client Secret in Step 3 below.
Step 2: Configure API Permissions
In your app registration, navigate to API permissions and add the following Delegated permissions under Microsoft Graph. These are used for the sign-in flow only.
| Permission | Type | Purpose |
|---|---|---|
openid | Delegated | Issue an ID token for the signed-in user |
profile | Delegated | Read the user's basic profile information |
email | Delegated | Read the user's email address |
User.Read | Delegated | Read the signed-in user's profile |
After adding all four permissions, click Grant admin consent for [your organization] and confirm.
These cover the sign-in flow only. The permissions Adcyma needs to manage users and groups (like User.ReadWrite.All) are set up separately in the App Registration guide.
Step 3: Enter Credentials in Adcyma
- In Adcyma, open Administration → Settings → Identity Provider
- Set Identity Provider to Microsoft Entra ID
- Enter your Client ID, Tenant ID, and Client Secret
- Click Save
Adcyma uses these credentials to connect to Microsoft Graph for your tenant.
Step 4: Enable SSO
- On the Identity Provider settings page, scroll to the Single Sign-On section
- Toggle Enable SSO on
- Notify your users — from this point, all logins go through Entra ID and Magic Links are disabled
To verify it is working, open a private browser window and navigate to your Adcyma login page. You should be redirected to the Microsoft login prompt instead of seeing the Magic Link form.
Disabling SSO
To revert to Magic Links:
- Open Administration → Settings → Identity Provider
- Toggle Enable SSO off
- Magic Links become available immediately
Disabling SSO is useful as a temporary fallback if users lose Entra ID access. You can re-enable it at any time without re-entering credentials.
Troubleshooting
Users are redirected to Microsoft but get an error
Check that the Tenant ID and Client ID are correct and that admin consent has been granted for all required permissions.
Sign-in completes on Microsoft but fails to land in Adcyma
The user's email address in Entra ID must match the address registered in Adcyma. If they differ, contact support.