Microsoft Entra SSO

How to set-up SSO with Microsoft Entra on Dust.tt

🔒

Consider Standard SAML Integration

While this guide details Microsoft Entra specific integration, we recommend considering our standard SAML SSO implementation instead, which:

  • Provides identical security and features
  • Offers more flexibility in configuration
  • Makes it easier to switch identity providers in the future
  • Works with ANY SAML-compatible identity provider

You can find our standard SAML implementation guide here .

Overview

Dust supports Microsoft Entra ID (previously Microsoft Azure Directory) Single Sign-On (SSO) to manage your team's access to our platform securely and effortlessly using your existing Entra ID credentials. This feature simplifies user management and enhances security by centralizing authentication.


Setting up Microsoft Entra Single Sign-On (SSO)

To enable SSO for Dust using Microsoft Entra ID, follow these steps to create a custom app integration in Microsoft Entra Admin Center.

1. Identify an Admin:

Choose an admin with comprehensive access to the Microsoft Entra admin center and Dust admin. This is necessary as enabling Microsoft Entra ID SSO requires creating a custom application in Microsoft Entra admin center.

2. Create a Custom Application in Microsoft Entra admin center

Create an application

  1. Navigate to the Microsoft Entra admin center and go to Applications > App Registrations. (see microsoft documentation to get you started)
  2. Click on New Registration.
  3. Fill in the Required Fields
    1. Name: Enter "Dust" as the application name.
    2. Platform: Select web
    3. Redirect URI: Enter https://dust-tt.us.auth0.com/login/callback.
    4. Select Accounts in this organizational directory only (Default Directory only - Single tenant) as the supported account types.
    5. Logo: You can find our logo here.
  4. Click on Register

Add a client secret

  1. From the Application view > Click on Dust
  2. Click on Certificates & Secrets > New client secret
  3. Fill in the Required Fields:
    1. Description: Dust
    2. Expires: Select the expiration based on your internal policy

👋 Ensure to keep this tab opened for future reference:

Add an optional claim

Dust needs to access user's email, this requires setting up an optional claim.

  1. From the Application view > Click on Dust

  2. Click on Token configuration > Add optional claim

  3. Fill in the Required Fields:

    1. Token type: ID
    2. Select the claim email
    3. ⚠️ Make sure to select Turn on the Microsoft Graph email permission (required for claims to appear in token). when asked.
    4. Click on Add

    3. Enabling Microsoft Entra ID Single Sign-On (SSO) in Dust

    To enable SSO for Dust using Microsoft Entra ID, follow these steps:

    1. Navigate to Settings > Members in Dust.
    2. If your plan allows it, you'll see an option for Active Single Sign-On.
    Untitled
    1. Select Microsoft Entra ID
    2. To enable Microsoft Entra ID SSO on your workspace, please provide the following details from the Microsoft Entra Id setup step:
      1. Microsoft Domain
      2. Microsoft Client Id
      3. Microsoft Client Secret

    📘

    Don't forget to copy

    Copy the "Initiate Login" URL and save it somewhere easily accessible. You'll need this URL to add the Dust app to your users' dashboards.

    Once you've entered this information, click on Create Microsoft Entra ID Configuration. Microsoft Entra ID SSO is now enabled on your workspace.

    If Auto-join Workspace is enabled, all members attempting to log in to Dust using their enterprise email addresses will be automatically redirected to Microsoft Entra ID SSO for authentication.

    4. Enforcing Microsoft Entra ID Single Sign-On (SSO) in Dust

    ❗️

    Make sure to test the SSO first before enforcing it.

    After enabling SSO, you have the option to enforce it across the entire workspace. This means that users will no longer be able to log in using their social media accounts. Please note that enabling this setting will log out all users who are not currently using Microsoft Entra ID, and they will be required to log back in using their Microsoft Entra credentials.