{"id":9696,"date":"2024-08-21T07:40:46","date_gmt":"2024-08-21T07:40:46","guid":{"rendered":"https:\/\/www.portatour.com\/blog\/users\/?p=9696"},"modified":"2024-08-21T09:42:34","modified_gmt":"2024-08-21T09:42:34","slug":"single-sign-on-sso-with-microsoft-setup","status":"publish","type":"post","link":"https:\/\/www.portatour.com\/blog\/users\/en\/2024\/08\/21\/single-sign-on-sso-with-microsoft-setup\/","title":{"rendered":"Single sign-on (SSO) with Microsoft: Setup"},"content":{"rendered":"<p><em>This news concerns administrators from company accounts with at least two users.<\/em><\/p>\n<p>To enable your users to log in to portatour\u00ae with your company&#8217;s Microsoft account, two steps are necessary: Setting up Microsoft as a single sign-on provider in portatour\u00ae and assigning Microsoft users to portatour\u00ae users.<\/p>\n<h2>Setting up Microsoft as a single sign-on provider<\/h2>\n<ol>\n<li>Go to &#8220;Workspace Organization&#8221; and open &#8220;Options&#8221;.<\/li>\n<li>In the &#8220;Security&#8221; section, click on &#8220;Single Sign-on Provider &gt; Add &gt; Microsoft&#8221;. The following window appears:<br \/>\n<a href=\"https:\/\/www.portatour.com\/blog\/users\/wp-content\/uploads\/sites\/2\/SSO-Einrichten-EN.png\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-9557\" src=\"https:\/\/www.portatour.com\/blog\/users\/wp-content\/uploads\/sites\/2\/SSO-Einrichten-EN.png\" alt=\"\" width=\"320\" height=\"462\" \/><\/a><\/li>\n<li>Are you yourself Entra ID administrator of your Microsoft client?\n<ul>\n<li>If yes:\n<ol>\n<li>Click on &#8220;Log in with Microsoft&#8221;.<\/li>\n<li>Log in with your Microsoft account.<\/li>\n<li>Confirm the requested permissions with &#8220;Accept&#8221;.<\/li>\n<\/ol>\n<\/li>\n<li>If no:\n<ol>\n<li>Click on &#8220;Enter tenant ID manually&#8221;.<\/li>\n<li>Click on &#8220;Copy link&#8221; and share it with your Entra ID administrator to install the &#8220;portatour\u00ae single sign-on&#8221; enterprise application and to accept the requested permissions. During this process, your administrator will receive the tenant ID.<\/li>\n<li>Enter the provided tenant ID.<\/li>\n<\/ol>\n<\/li>\n<\/ul>\n<\/li>\n<li>Enter the name of your Microsoft client in the &#8220;Name&#8221; field. Typically, this is your company name. No verification takes place. The name helps you and your users to identify the correct Microsoft account if you have several Microsoft clients.<\/li>\n<li>Click &#8220;Save&#8221;.<\/li>\n<\/ol>\n<h2>Assigning Microsoft users to portatour\u00ae users<\/h2>\n<p>You have four options for assigning Microsoft users to portatour\u00ae users: By means of individual invitation emails, by means of mass invitation emails, by means of manual entry of the Microsoft object IDs or by importing the Microsoft object IDs.<\/p>\n<h3>Assignment by invitation e-mail<\/h3>\n<ol>\n<li>Go to &#8220;Workspace Organization&#8221; and open the menu item &#8220;Users&#8221;.<\/li>\n<li>Click on the desired user to open the detailed view of this user.<\/li>\n<li>Click on &#8220;Send invitation&#8221; in the &#8220;Log in with SSO with Microsoft&#8221; section.<br \/>\n<a href=\"https:\/\/www.portatour.com\/blog\/users\/wp-content\/uploads\/sites\/2\/Benutzerdetailansicht-SSO-Microsoft-EN.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-9563\" src=\"https:\/\/www.portatour.com\/blog\/users\/wp-content\/uploads\/sites\/2\/Benutzerdetailansicht-SSO-Microsoft-EN.png\" alt=\"\" width=\"480\" height=\"442\" \/><\/a><\/li>\n<li>The user receives an email with an invitation link. This invitation link is valid for 30 days.<\/li>\n<li>After clicking on the invitation link, the user logs in to their Microsoft account.<\/li>\n<li>After logging in, the assignment is successfully created. You can recognize this if the Microsoft user name (UPN) is also displayed on the user&#8217;s detail page.<\/li>\n<\/ol>\n<p><em>Notes: <\/em><\/p>\n<ul>\n<li><em>For security reasons, the email address of the Microsoft user must match that of the portatour\u00ae user for the assignment invitation to work. After a successful assignment, the email addresses on both sides can be changed without affecting the assignment.<\/em><\/li>\n<li><em>To invalidate an invitation prematurely, click on the recycle bin symbol.<\/em><\/li>\n<li><em>To send a new invitation, click on &#8220;Send new invitation&#8221;. The original invitation will then become invalid.<\/em><\/li>\n<\/ul>\n<h3>Assignment by means of mass invitation e-mails<\/h3>\n<ol>\n<li>Go to &#8220;Workspace Organization&#8221; and open the menu item &#8220;Users&#8221;.<\/li>\n<li>At the end of the user list, click on &#8220;Edit all X&#8221;.<\/li>\n<li>In the column &#8220;Log in with SSO with Microsoft&#8221; in the section &#8220;X users have neither a linked Microsoft account nor an invitation&#8221;, click on &#8220;Send invitations&#8221;.<br \/>\n<a href=\"https:\/\/www.portatour.com\/blog\/users\/wp-content\/uploads\/sites\/2\/Benutzer-Massenbearbeitung-SSO-Einladung-EN.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-9569\" src=\"https:\/\/www.portatour.com\/blog\/users\/wp-content\/uploads\/sites\/2\/Benutzer-Massenbearbeitung-SSO-Einladung-EN.png\" alt=\"\" width=\"320\" height=\"190\" \/><\/a><\/li>\n<\/ol>\n<p><em>Notes:<\/em><\/p>\n<ul>\n<li><em>In the user list, use the selection mode or the extended search to specifically restrict the users affected by this process.<\/em><\/li>\n<li><em>The instructions for the individual invitation email apply analogously here.<\/em><\/li>\n<\/ul>\n<h3>Assignment by entering the Microsoft object ID<\/h3>\n<p>For this procedure, you must know the user&#8217;s Microsoft object ID. As administrator of your Microsoft client, you will find this in the user management of the Microsoft Entra Admin Center.<\/p>\n<ol>\n<li>Go to &#8220;Workspace Organization&#8221; and open the menu item &#8220;Users&#8221;.<\/li>\n<li>Click on the desired user to open their detailed view.<\/li>\n<li>Click on &#8220;Enter Microsoft object ID&#8221; in the &#8220;Log in with SSO with Microsoft&#8221; section<\/li>\n<li>Enter the Microsoft object ID of the user &#8211; preferably using Copy &amp; Paste from the Microsoft Entra Admin Center.<\/li>\n<li>Click &#8220;Save&#8221;.<\/li>\n<li>The user can then immediately log in to portatour\u00ae using SSO.<\/li>\n<li>Optionally, click on &#8220;Send access link&#8221; so that the user receives the link to the SSO login page of portatour\u00ae via email.<\/li>\n<li>You can recognize a successful login by the user if the Microsoft user name (UPN) is also displayed on user&#8217;s detail page.<\/li>\n<\/ol>\n<p><em>Notes:<\/em><\/p>\n<ul>\n<li><em>Proceed carefully. When entering the Microsoft object ID, there is no check whether the user exists in your Microsoft client or whether it is the desired user.<\/em><\/li>\n<li><em>In this case, it is not necessary for the email addresses of the user in portatour\u00ae and Microsoft to match.<\/em><\/li>\n<\/ul>\n<h3>Assignment by importing the Microsoft object IDs<\/h3>\n<p>If you have the Microsoft object IDs of your users as a file, use the user import to assign them to existing or new users.<\/p>\n<p>In the import wizard, assign the corresponding column in your file to the &#8220;SSO Microsoft object IDs&#8221; field and then carry out the import in the usual way.<\/p>\n<p><em>Notes<\/em>:<\/p>\n<ul>\n<li><em>The instructions for entering the Microsoft object ID apply analogously here.<\/em><\/li>\n<li><em>If the &#8220;SSO Microsoft object IDs&#8221; field is missing, you have not yet set up Microsoft as a SSO provider in portatour\u00ae.<\/em><\/li>\n<li><em>The name of the field also contains the name of the SSO provider you have specified.<\/em><\/li>\n<li><em>If you want to assign several Microsoft users to one portatour\u00ae user, separate the object IDs with a semicolon &#8216;;&#8217;. <\/em><\/li>\n<\/ul>\n<h2>Deactivating single sign-on<\/h2>\n<h3>Automatic blocking of a user<\/h3>\n<p>If a user is blocked or deleted by the SSO provider, the assigned user in portatour\u00ae can no longer log in via SSO after one hour at the latest. You do not need to do anything in portatour\u00ae. If the user was already logged in via SSO, they will be automatically logged out.<\/p>\n<h3>Remove SSO login for a user<\/h3>\n<p>If you no longer want to allow SSO logins for a specific user, click on the corresponding recycle bin icon on the user&#8217;s detail page to delete the SSO-assignment. Alternatively, remove the Microsoft object ID from the corresponding line at the user import.<\/p>\n<h3>Deactivating or deleting a SSO provider<\/h3>\n<p>If you want to disable login with SSO for all users, deactivate the corresponding single sign-on provider in the organization options.<\/p>\n<p>You can then also delete the SSO provider. All SSO assignments of the users will be deleted.<\/p>\n<h2>Other notes on single sign-on<\/h2>\n<h3>SSO login and login with user name &amp; password<\/h3>\n<p>portatour\u00ae allows users to log in with both user name &amp; password and SSO. If you introduce SSO, this is done for existing users without interruption and without the need for strict timing.<\/p>\n<p>You can see both login options for a user in the user list. Manage them at the user&#8217;s detail view or via mass editing of users.<\/p>\n<h3>Deactivating login with user name &amp; password<\/h3>\n<p>If you have successfully introduced SSO, you can deactivate the login via user name &amp; password if desired.<\/p>\n<p>In a user&#8217;s detail view, click on &#8220;Disable login&#8221; in the &#8220;Log in with user name &amp; password&#8221; section.<\/p>\n<p>Alternatively, use the mass editing in the user list. In any case, make sure beforehand that the affected users have already successfully logged in with SSO, e.g. by using &#8220;Search &gt; Extended &gt; Linked SSO accounts &gt; possible (link to account used)&#8221;.<\/p>\n<h3>Multiple SSO providers<\/h3>\n<p>portatour\u00ae allows you to set up multiple SSO providers. This supports the following scenarios, among others:<\/p>\n<ul>\n<li>Users from different organizations (countries, subcontractors, internal\/external) work in portatour\u00ae, whereby each organization is managed in a separate Microsoft client.<\/li>\n<li>You want to change the SSO provider. The transition is seamless for users, as both providers work in parallel.<\/li>\n<\/ul>\n<p>Assign a unique name to each SSO provider. In the user detail view and in user mass editing, the respective SSO providers can be found in their own sections, in user export\/import in their own columns.<\/p>\n<h3>Multiple SSO assignments per user<\/h3>\n<p>Several SSO assignments can be stored at a user in portatour\u00ae. This is useful for the SSO provider change scenario mentioned above.<\/p>\n<p>Different portatour\u00ae users can also be assigned to the same user of a SSO provider. The portatour\u00ae user may also be located in different portatour\u00ae company accounts. In such cases, the user is prompted after the SSO login to select the desired portatour\u00ae user with which they wish to continue working.<\/p>\n<p>This is helpful, for example, in a scenario where an administrator manages several portatour\u00ae company accounts and therefore has a separate account in each portatour\u00ae company account.<\/p>\n<h3>SSO in conjunction with Microsoft Dynamics CRM<\/h3>\n<p>If you use Microsoft Dynamics CRM as your data source system, SSO is not yet possible. We are already working on an update to support SSO.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>This news concerns administrators from company accounts with at least two users. To enable your users to log in to portatour\u00ae with your company&#8217;s Microsoft account, two steps are necessary: Setting up Microsoft as a single sign-on provider in portatour\u00ae and assigning Microsoft users to portatour\u00ae users. Setting up Microsoft as a single sign-on provider [&hellip;]<\/p>\n","protected":false},"author":8,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-9696","post","type-post","status-publish","format-standard","hentry","category-anywhere-en"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/www.portatour.com\/blog\/users\/en\/wp-json\/wp\/v2\/posts\/9696","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.portatour.com\/blog\/users\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.portatour.com\/blog\/users\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.portatour.com\/blog\/users\/en\/wp-json\/wp\/v2\/users\/8"}],"replies":[{"embeddable":true,"href":"https:\/\/www.portatour.com\/blog\/users\/en\/wp-json\/wp\/v2\/comments?post=9696"}],"version-history":[{"count":7,"href":"https:\/\/www.portatour.com\/blog\/users\/en\/wp-json\/wp\/v2\/posts\/9696\/revisions"}],"predecessor-version":[{"id":10306,"href":"https:\/\/www.portatour.com\/blog\/users\/en\/wp-json\/wp\/v2\/posts\/9696\/revisions\/10306"}],"wp:attachment":[{"href":"https:\/\/www.portatour.com\/blog\/users\/en\/wp-json\/wp\/v2\/media?parent=9696"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.portatour.com\/blog\/users\/en\/wp-json\/wp\/v2\/categories?post=9696"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.portatour.com\/blog\/users\/en\/wp-json\/wp\/v2\/tags?post=9696"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}