ResourcesDocs › Microsoft 365 › SSO
Docs · Microsoft 365

Single Sign-On with Microsoft 365 (Entra ID)

Sign in with the Microsoft account: setting up OpenID Connect between Entra ID and unixpass

Version: July 2026 · Audience: Administrators · unixpass + Microsoft 365 / Entra ID

What is this about?

With single sign-on, users sign in to unixpass with their Microsoft 365 account — no separate password. unixpass uses OpenID Connect against Microsoft Entra ID. It uses the same Entra app registration (“UXP”) that also powers custom e-mail sending.

Who configures what?

Own unixpass installation (OnPremise / Master)

You configure everything yourself in UXP-Admin (part 2).

Tenant on the R3levance cloud

You complete part 1 (Microsoft Entra) and securely hand the values to R3levance support — they enable SSO for your tenant.

Prerequisites

  • Microsoft 365 tenant with access to the Entra admin center (role: Global Administrator or Application Administrator)
  • An app registration for unixpass (“UXP”) — can be shared with mail sending
  • The redirect URIs of your unixpass installation: for cloud tenants part of the individual access data provided by R3levance, for self-hosted systems derived from your system URL
  • Users sign in with e-mail addresses of your domain (e.g. first.last@your-domain.com)

Part 1 — Microsoft Entra: configure the app

1

Open the app registration

In the Entra admin center, open Entra ID → App registrations and select the UXP app. If none exists yet: New registration → name “UXP”, account type “Accounts in this organizational directory only”.

From the app overview, note the Application (client) ID and the Directory (tenant) ID.
Entra: App-Registrierungen
Entra ID → App-Registrierungen / App registrations
2

Add the redirect URIs

Open Entra ID → App registrations → UXP → Authentication (possibly “Authentication (Preview)”). On the Redirect URI configuration tab, click Add redirect URI and choose platform type Web (in the old experience: Add a platform → Web). Enter the return URLs of your unixpass installation there — the configured URIs are later visible on the app Overview under “Redirect URIs”. Important: each language in use needs its own URI including the language parameter — offering German and English means two URIs:

https://<UNIXPASS-URL>/de/extranet/openidGerman interface
https://<UNIXPASS-URL>/en/extranet/openidEnglish interface
⚠️ <UNIXPASS-URL> is a placeholder — only this leading part is individual. The exact base URL is part of the individual tenant data issued by R3levance; for self-hosted systems it derives from your system URL. The path /<language>/extranet/openid is fixed. URIs must match exactly — otherwise login fails with AADSTS50011.
Entra: Umleitungs-URIs
Authentication (Preview) → Redirect URI configuration: one Web URI per language — the domain part is installation-specific (masked here).
3

Verify the delegated permissions

For sign-in, the app needs the delegated Microsoft Graph permissions email, openid, profile and User.Read (API permissions → Add a permission → Microsoft Graph → Delegated permissions). Then grant admin consent so users don’t see a consent prompt on first login. The Mail.Send permission (type “Application”) in the figure belongs to mail sending, not to SSO.

Entra: API-Berechtigungen
API permissions of the UXP app: the four delegated permissions carry SSO; Mail.Send (Application) belongs to the mail-sending howto.
4

Create a client secret and note its expiry date

Under Certificates & secrets → New client secret, create a secret (unless one already exists for mail sending — the same secret can serve both). Copy the value immediately and also note the expiry date — it is stored in UXP-Admin in part 2 so unixpass reminds you in time to renew.

⚠️ Treat the secret like a password: never send it unencrypted and never show it in screenshots or recordings. Once expired, SSO login (and mail sending, if shared) stops working.
5

Assign users — preferably via groups

Go to Entra ID → Enterprise applications → UXP → Users and groups → Add user/group. Individual users can be assigned directly — for larger setups, controlling access via security groups is the better choice: new employees then get unixpass access simply through group membership (e.g. a “UXP users” group) without touching the app assignment.

Entra: Benutzer und Gruppen
Enterprise applications → UXP → Users and groups: assigned users or groups (names masked).
  • To ensure only assigned users can sign in: Enterprise applications → UXP → Properties → “Assignment required?” = Yes.
  • Assigning security groups to applications requires Microsoft Entra ID P1 (included in many M365 Business/Enterprise plans).
  • Nested groups are not resolved for app assignment — only direct members get access.
6

Optional: upload an app logo

Under Enterprise applications → UXP → Properties (or app registration → Branding & properties) you can upload a logo so the app is recognizable in the Microsoft “My Apps” portal and in consent dialogs. Recommended: square PNG, 215×215 px, max. 256 KB. Official unixpass assets for download:

UXP App-Icon 215

App icon 215×215 (for Entra)

Download
UXP App-Icon 1024

App icon 1024×1024

Download
unixpass Logo

unixpass wordmark (PNG)

Download

You now have these values

Application (client) IDCLIENT_APP_ID — GUID from the app overview
Client secretCLIENT_APP_SECRET — value from step 4
Directory (tenant) IDTENANT_ID — GUID from the app overview
Secret expiry datefrom step 4 — stored in UXP-Admin as a reminder

Part 2 — unixpass: enable SSO in UXP-Admin

☁️ R3levance cloud tenants: this part is done by R3levance support. Hand over the values from part 1 (incl. the users’ mail domain and the secret expiry date) through a secure channel — no plain-text e-mail.

In UXP-Admin, open the tenant settings and enable the Single Sign-On section:

Single Sign-On
your-domain.com
The e-mail domain of the members e.g.: example.com
https://login.microsoftonline.com/TENANT_ID/v2.0/.well-known/openid-configuration
e.g.: http://example.com/realms/master/.well-known/openid-configuration
CLIENT_APP_ID
CLIENT_APP_SECRET
📅 YYYY-MM-DD
Date when the SSO certificate expires (e.g., 2027-11-13). A notification will be sent 14 days before expiration.
UXP-Admin: Single Sign-On — replace the values with your own.

The fields in detail

Domainthe users’ mail domain. Sign-ins with addresses of this domain are routed to Microsoft via SSO.
EndpointOpenID Connect discovery URL of the tenant: https://login.microsoftonline.com/TENANT_ID/v2.0/.well-known/openid-configuration — replace TENANT_ID with the directory ID.
Client ID / Client Secretapplication ID and secret of the UXP app from part 1.
SSO Certificate Expiration Dateexpiry date of the client secret. unixpass sends a reminder 14 days before expiry — create a new secret in time and update it here and in Entra.

Testing & troubleshooting

Sign in to unixpass in a private browser window with an assigned user. Typical issues:

Error AADSTS50011 (redirect URI mismatch)Redirect URI missing or not matching exactly — forgot the language parameter (/de, /en)?
Error AADSTS700016 (application not found)Wrong client ID, or the endpoint points to the wrong tenant.
Error AADSTS7000215 (invalid client secret)Secret copied incorrectly or expired — create a new secret, update UXP-Admin and the reminder date.
Error AADSTS50105 (user not assigned)User is not assigned to the app — check group membership (nested groups don’t count).
Users see a consent promptAdmin consent for the delegated permissions is missing (part 1, step 3).
Login form instead of SSO redirectDomain in UXP-Admin doesn’t match the user’s mail address, or SSO is not enabled.