# SSO with Microsoft Entra ID – Secure Privacy Setup Guide

> Connect Microsoft Entra ID (Azure AD) to Secure Privacy in 5 steps. Centralize user login, eliminate separate passwords, and manage access from one place.

- Canonical: https://support.secureprivacy.ai/article/single-signon-sso-configuration-integration-with-microsoft-entra-id
- Product: Consent Management
- Category: Integrations
- Published: 2026-03-06T07:13:00+00:00
- Updated: 2026-03-25T23:52:49.847+00:00
- Reading time: 7 minutes

---

Managing user access to a consent management platform shouldn't mean handing out yet another set of credentials. When your team grows — or when an employee leaves — manually updating logins in every tool creates real security and compliance risk. Juggling separate passwords for your privacy platform is friction your IT and compliance teams don't need.

Many organizations try to solve this with shared accounts or manual offboarding checklists, but both approaches are error-prone and fail even basic access-control audits. A proper **Single Sign-On (SSO)** integration is the right fix — and if your organization already uses **Microsoft Entra ID** (formerly Azure Active Directory), you're minutes away from a clean solution.

**Secure Privacy natively supports Microsoft Entra ID SSO.** Once connected, every user in your Azure AD tenant can log in to Secure Privacy with their existing Microsoft credentials — no separate password, no manual provisioning, and instant access revocation the moment you disable an account in Azure.

By the end of this guide you will have a fully working **Microsoft Entra ID SSO integration** with Secure Privacy: your Tenant ID, App Registration, API permissions, and client secret all wired up so your team can sign in via the Microsoft login button on their very next visit.

## Who Is This Guide For?

This article is written for **IT administrators and compliance managers** who:

-   Manage their organization's Microsoft Entra ID (Azure AD) tenant
    
-   Have an active Secure Privacy account with administrator access
    
-   Want to centralize authentication so team members use their Microsoft credentials to access Secure Privacy
    

## Prerequisites

-   An active **Microsoft Entra ID** (Azure AD) tenant
    
-   An Azure account with permission to create App Registrations and grant Admin consent (typically a **Global Administrator** or **Application Administrator** role)
    
-   An active **Secure Privacy** account with admin rights to access SSO settings
    
-   All Secure Privacy user email addresses must match the **User Principal Name (UPN)** format in your Azure tenant (no `EXT` guest accounts)
    

## Step 1 — Locate Your Tenant ID in Azure

Your **Tenant ID** identifies your organization's Microsoft Entra ID directory. Secure Privacy needs it to know which Azure AD tenant to authenticate against.

1.  From the **Azure Home page**, use the search bar to find **"Microsoft Entra ID"** and navigate to it.
    

![Azure Home page search bar with 'Microsoft Entra ID' entered to navigate to the directory overview](https://pub-7bd19505838640d0a08ef1bd6ec3fb9b.r2.dev/articles/93cfd9fd4eee79a5bffe-24375920c3d1.webp)

Search for "Microsoft Entra ID" from the Azure Home page.

2.  On the Microsoft Entra ID overview page, locate your **Tenant ID** and copy it.
    
3.  Paste the Tenant ID into the **SSO settings page** of your Secure Privacy account.
    

![Microsoft Entra ID overview page showing the Tenant ID field to copy for Secure Privacy SSO configuration](https://pub-7bd19505838640d0a08ef1bd6ec3fb9b.r2.dev/articles/ba76db95d2e5e8ba9f3d-1af4d03427a9.webp)

Copy the Tenant ID from the Microsoft Entra ID overview page.

## Step 2 — Create an Enterprise App Registration in Microsoft Entra ID

An **App Registration** tells Azure AD that Secure Privacy is an authorized application allowed to authenticate your users.

1.  From the **Azure Home page**, search for **"Microsoft Entra ID"**, then click **"Add"** → **"App registration."**
    

![Microsoft Entra ID page showing the Add menu with the App registration option selected to create a new SSO application for Secure Privacy](https://pub-7bd19505838640d0a08ef1bd6ec3fb9b.r2.dev/articles/5b8382a5e93b7456cf8f-ab2e39a27a35.webp)

Select "App registration" from the Add menu in Microsoft Entra ID.

2.  In the setup wizard, enter a **name** for your SSO application (this can be changed later).
    
3.  Select the appropriate **account type** as shown below:
    

![Azure App registration setup wizard showing the supported account type selection for the Secure Privacy SSO application](https://pub-7bd19505838640d0a08ef1bd6ec3fb9b.r2.dev/articles/9d7298de81f7235dadff-29c4c1396b04.webp)

Choose the supported account type for your Secure Privacy SSO app registration.

4.  Once created, you will be redirected to the application's overview page. Locate your **Application (client) ID**.
    

![Azure App registration overview page showing the Application (client) ID field to copy for Secure Privacy SSO settings](https://pub-7bd19505838640d0a08ef1bd6ec3fb9b.r2.dev/articles/13328ee99ab751a44157-bba7a1608197.webp)

Copy the Application (client) ID from the App Registration overview.

5.  Copy the **Application (client) ID** and paste it into the SSO settings page in your Secure Privacy account.
    

![Secure Privacy SSO settings page showing the Application (client) ID field where the Azure App Registration value should be pasted](https://pub-7bd19505838640d0a08ef1bd6ec3fb9b.r2.dev/articles/0c985a93ffeb685844b3-c1de9ce82784.webp)

Paste the Application (client) ID into Secure Privacy's SSO settings.

## Step 3 — Configure Microsoft Graph API Permissions

Secure Privacy requires specific **Microsoft Graph API permissions** to read user identities during the SSO login flow. This step also covers the redirect URI and email format requirements.

### Grant the Required API Permissions

Navigate to the **API Permissions** page of your SSO application and confirm the following permissions are granted to **Microsoft Graph**:

**Delegated permissions:**

-   `email`
    
-   `openid`
    
-   `profile`
    

**Application permissions:**

-   `User.Read.All`
    

![Azure API permissions page showing the required Microsoft Graph API delegated and application permissions for Secure Privacy SSO](https://pub-7bd19505838640d0a08ef1bd6ec3fb9b.r2.dev/articles/dd995b0557097e3fe782-e1d749d70046.webp)

Confirm all four required Microsoft Graph API permissions are listed.

### Grant Admin Consent for All Permissions

Ensure that all configured permissions have been **granted with Admin consent**:

![Azure API permissions page showing Admin consent status granted for all Microsoft Graph API permissions required by Secure Privacy](https://pub-7bd19505838640d0a08ef1bd6ec3fb9b.r2.dev/articles/6c97d5da5589c48d2896-e19cab18c247.webp)

All permissions must show Admin consent granted before SSO will work.

**Note:** If you cannot grant Admin consent yourself, ask your organization's **Global Administrator** to approve the permissions.

### Verify the User Principal Name (UPN) Email Format

The email address stored in Secure Privacy for each user must exactly match their **User Principal Name (UPN)** in Azure. This applies to the admin configuring SSO and to every user added on the Users page.

**Important:** Email addresses containing `"EXT"` (external/guest accounts) are not supported and will prevent login.

![Azure user list showing the User Principal Name email format required for Secure Privacy SSO user matching — EXT addresses not supported](https://pub-7bd19505838640d0a08ef1bd6ec3fb9b.r2.dev/articles/bcd79930b9c73b26825a-c3dd4270267e.webp)

Confirm each user's UPN in Azure matches the email stored in Secure Privacy.

### Set the Redirect URI on the Authentication Page

On the **Authentication** page of your Azure App Registration:

1.  Select **"Web"** as the platform.
    
2.  Add `https://cmp.secureprivacy.ai/` as the **Redirect URI**.
    

![Azure App registration Authentication page showing the Web platform redirect URI set to https://cmp.secureprivacy.ai/ for Secure Privacy SSO](https://pub-7bd19505838640d0a08ef1bd6ec3fb9b.r2.dev/articles/d08bec54b11a8803bf15-3e29f3ab4e72.webp)

Add `https://cmp.secureprivacy.ai/` as the redirect URI under the Web platform.

## Step 4 — Create a Client Secret for the SSO Application

The **client secret** is the credential Secure Privacy uses to authenticate with your Azure App Registration. Copy it immediately — Azure only shows the value once.

1.  In **App Registrations**, select your SSO application.
    
2.  Navigate to **"Certificates & secrets"** and click **"+ New client secret."**
    
3.  **Immediately copy the "Value"** of the newly created client secret — this value is only visible once.
    

![Azure Certificates and secrets page showing a newly created client secret with its Value field available to copy for Secure Privacy SSO](https://pub-7bd19505838640d0a08ef1bd6ec3fb9b.r2.dev/articles/0e730e1e28074840f7d4-c139a8efee6f.webp)

Copy the client secret Value immediately — it won't be shown again after you leave this page.

4.  Paste the client secret value into the **"Client secret"** field in your Secure Privacy SSO settings.
    

![Secure Privacy SSO settings page showing the Client secret field where the Azure client secret value should be pasted](https://pub-7bd19505838640d0a08ef1bd6ec3fb9b.r2.dev/articles/9f27d54f879ff0fcb738-ecf0ec21bdfb.webp)

Paste the client secret value into the corresponding field in Secure Privacy's SSO settings.

## Step 5 — Add Users and Enable Microsoft SSO Login in Secure Privacy

Your SSO configuration is complete. The final step is adding your Azure organization's users in Secure Privacy so they can log in with their Microsoft accounts.

Add users via the **Users page** in Secure Privacy, using their Azure **User Principal Name** as their email address:

![Secure Privacy Users page showing where to add Azure Active Directory organization users to enable Microsoft SSO login](https://pub-7bd19505838640d0a08ef1bd6ec3fb9b.r2.dev/articles/b07c27147d1f75e3842d-c64f4fa729d8.webp)

Add Azure users to Secure Privacy via the Users page using their UPN email addresses.

Once added, your Azure users can **log in to Secure Privacy using their Microsoft account** — no separate Secure Privacy password required.

![Secure Privacy login page showing the Microsoft SSO sign-in button available for users authenticated via Azure Active Directory](https://pub-7bd19505838640d0a08ef1bd6ec3fb9b.r2.dev/articles/dcaa5a1f0b461d9e37c5-3754d22b9698.webp)

Users will see a "Sign in with Microsoft" option on the Secure Privacy login page.

## What Happens After SSO Is Enabled

Once the integration is live, user access is managed entirely from your Azure tenant. Disable or remove a user in Microsoft Entra ID and their Secure Privacy access is revoked automatically on their next login attempt — no separate offboarding step required in Secure Privacy.

If your organization's SSO configuration changes (for example, a client secret expires or you rotate credentials), simply generate a new client secret in Azure and update the value in Secure Privacy's SSO settings page.

## Troubleshooting Microsoft Entra ID SSO in Secure Privacy

### Users receive a login error after SSO is configured

Check the following in order:

1.  The user's email in Secure Privacy exactly matches their **User Principal Name (UPN)** in Azure — including letter case.
    
2.  The email address does **not** contain `EXT`. External/guest Azure accounts are not supported.
    
3.  All four Microsoft Graph API permissions are present _and_ have been granted Admin consent (look for a green tick in the Azure API Permissions page).
    
4.  The redirect URI `https://cmp.secureprivacy.ai/` is saved on the Authentication page with **Web** selected as the platform.
    

### The client secret value is no longer available

If you navigate away from the Certificates & secrets page before copying the value, the secret cannot be recovered. Delete the old secret and create a new one, then update the Client secret field in Secure Privacy's SSO settings immediately.

### Admin consent cannot be granted

Only users with the **Global Administrator** or **Privileged Role Administrator** role in Azure can grant tenant-wide Admin consent. Contact your IT department or Azure tenant admin and share the API Permissions page URL with them.

## Frequently Asked Questions

### Does Secure Privacy support Single Sign-On (SSO)?

Yes. Secure Privacy supports SSO via **Microsoft Entra ID** (formerly Azure Active Directory). Once configured, your team logs in with their existing Microsoft credentials — no separate Secure Privacy password is needed.

### What is Microsoft Entra ID and how is it different from Azure Active Directory?

Microsoft Entra ID is the new name for Azure Active Directory (Azure AD) following Microsoft's 2023 rebrand. The underlying identity platform and SSO integration process are identical — if your organization already has an Azure AD tenant, you already have Microsoft Entra ID.

### Do I need a Global Admin to set up SSO with Microsoft Entra ID?

You need an account with permission to create App Registrations and grant tenant-wide Admin consent. If you can't grant Admin consent yourself, ask your organization's **Global Administrator** to approve the Microsoft Graph API permissions.

### What Microsoft Graph API permissions does Secure Privacy SSO require?

Three delegated permissions — `email`, `openid`, and `profile` — plus one application permission: `User.Read.All`. All four must be granted Admin consent in the Azure portal.

### What redirect URI should I use for Secure Privacy SSO?

Add `https://cmp.secureprivacy.ai/` as a redirect URI on the Authentication page of your Azure App Registration, with **Web** selected as the platform type.

### Why can't my users log in to Secure Privacy after SSO is set up?

The most common causes are a mismatch between the user's email in Secure Privacy and their Azure UPN, an email address containing `EXT` (guest accounts are unsupported), missing Admin consent on API permissions, or a missing redirect URI. See the Troubleshooting section above for a step-by-step resolution checklist.

## Related Articles

-   [Managing Users and Roles in Secure Privacy](https://support.secureprivacy.ai/article/managing-users-in-secure-privacy-adding-editing-and-deleting-team-members)
    
-   [Account Security Settings Overview](https://support.secureprivacy.ai/article/how-to-edit-your-account-settings-in-secure-privacy)
    
-   [Using the Secure Privacy Audit Log](https://support.secureprivacy.ai/article/understanding-the-audit-log-audit-trail-in-secure-privacy)
