> ## Documentation Index
> Fetch the complete documentation index at: https://docs.zylon.ai/llms.txt
> Use this file to discover all available pages before exploring further.

# Microsoft Entra Integration (SSO)

### Add a new application for Zylon

The objective is to obtain 3 values that will be used to configure Zylon to be able log in with a Microsoft Account.

* `Application (client) ID`
* `Client Secret`

1. First of all you need to login into [https://portal.azure.com/#home](https://portal.azure.com/#home) console dashboard
2. Click `Microsoft Entra Id`

<img src="https://mintcdn.com/zylon/BXrLYrh44RWGgEbL/images/operator-manual/openid-images/microsoft/image.png?fit=max&auto=format&n=BXrLYrh44RWGgEbL&q=85&s=cd5a3a168800539d6a172d12b9a639c2" alt="image.png" width="2270" height="386" data-path="images/operator-manual/openid-images/microsoft/image.png" />

3. Register a new App. Click on `App registrations` on the left menu.

<img src="https://mintcdn.com/zylon/bIRZmoPdFWuTOEQj/images/operator-manual/openid-images/microsoft/image_1.png?fit=max&auto=format&n=bIRZmoPdFWuTOEQj&q=85&s=b39240470fa532c148d5a2d7044d4e00" alt="image.png" width="2366" height="1076" data-path="images/operator-manual/openid-images/microsoft/image_1.png" />

4. Click on `New Registration`.

<img src="https://mintcdn.com/zylon/bIRZmoPdFWuTOEQj/images/operator-manual/openid-images/microsoft/image_2.png?fit=max&auto=format&n=bIRZmoPdFWuTOEQj&q=85&s=c0802132759a745e16d35c368d473837" alt="image.png" width="2422" height="904" data-path="images/operator-manual/openid-images/microsoft/image_2.png" />

1. A new window will open and you will need to add the following information

* ⚠️ Redirect URI type is **web**⚠️
* Domain: `https://zylon.company.com/api/v1/auth/microsoft/callback`. Replace `zylon.company.com` with the domain where Zylon is hosted (It is the same domain as in the config file located in `/etc/zylon/zylon-conf.yaml`).
* Supported account types: All account types are supported. Choose based on your specific needs.

<img src="https://mintcdn.com/zylon/bIRZmoPdFWuTOEQj/images/operator-manual/openid-images/microsoft/image_3.png?fit=max&auto=format&n=bIRZmoPdFWuTOEQj&q=85&s=c05fc3ea6500ec894aa29bba0c1f39bb" alt="image.png" width="1890" height="1188" data-path="images/operator-manual/openid-images/microsoft/image_3.png" />

* In case you want to change it later you can do so in the `Application Overview`

<img src="https://mintcdn.com/zylon/bIRZmoPdFWuTOEQj/images/operator-manual/openid-images/microsoft/image_4.png?fit=max&auto=format&n=bIRZmoPdFWuTOEQj&q=85&s=8a45683409d3da704563900f8487e601" alt="image.png" width="2726" height="630" data-path="images/operator-manual/openid-images/microsoft/image_4.png" />

5. Save the following value that will be used later in the config file for Zylon.

* Application (client) ID

<img src="https://mintcdn.com/zylon/bIRZmoPdFWuTOEQj/images/operator-manual/openid-images/microsoft/image_5.png?fit=max&auto=format&n=bIRZmoPdFWuTOEQj&q=85&s=22e6f6ee68858bca69404fb6e365b52c" alt="image.png" width="2616" height="652" data-path="images/operator-manual/openid-images/microsoft/image_5.png" />

6. Now we need to generate the `ClientSecret`. Go to the left menu and click `Manage > Certificates & secrets`

<img src="https://mintcdn.com/zylon/bIRZmoPdFWuTOEQj/images/operator-manual/openid-images/microsoft/image_6.png?fit=max&auto=format&n=bIRZmoPdFWuTOEQj&q=85&s=c171e6123e85978a76430a13ea32a6a9" alt="image.png" width="50%" data-path="images/operator-manual/openid-images/microsoft/image_6.png" />

7. Click on `New client secret` and add the required information

<img src="https://mintcdn.com/zylon/bIRZmoPdFWuTOEQj/images/operator-manual/openid-images/microsoft/image_7.png?fit=max&auto=format&n=bIRZmoPdFWuTOEQj&q=85&s=ede6d89d5c968411e21a1eecd09635cd" alt="image.png" width="2568" height="1520" data-path="images/operator-manual/openid-images/microsoft/image_7.png" />

8. Copy the `Value` for client secret.

<img src="https://mintcdn.com/zylon/bIRZmoPdFWuTOEQj/images/operator-manual/openid-images/microsoft/image_8.png?fit=max&auto=format&n=bIRZmoPdFWuTOEQj&q=85&s=8a216df83330c7711de9f9dd0a1e164f" alt="image.png" width="2120" height="586" data-path="images/operator-manual/openid-images/microsoft/image_8.png" />

9. Verify that the `User.read`  permission is granted. Click on `API Permissions` on the left menu. You should see it there by default. In case it is missing, grant it.

<img src="https://mintcdn.com/zylon/bIRZmoPdFWuTOEQj/images/operator-manual/openid-images/microsoft/image_9.png?fit=max&auto=format&n=bIRZmoPdFWuTOEQj&q=85&s=d59e4c567215bb167d30d6bc5ce888d0" alt="image.png" width="2778" height="1446" data-path="images/operator-manual/openid-images/microsoft/image_9.png" />

10. Add the following configuration to `/etc/zylon/zylon-conf.yaml`

<Warn>
  The config file is a `.yaml` file so indentation, spaces, semicolons, double quotes are very important
</Warn>

```yaml theme={null}
auth:
  microsoft:
    enabled: true
    redirectUri: "https://zylon.company.com/api/v1/auth/microsoft/callback"
    tenantId: "common"
    clientId: "8c7d......"
    clientSecret: ".RS8Q~....."
```

Run the following command to refresh the configuration

```yaml theme={null}
sudo zylon-cli sync
```

Now you should see the Microsoft Account SSO

<Tip>
  In case you don’t see the Microsoft Account button to log in, clear the browser cache.
</Tip>

### How to manage users

To limit the number of users that are able to log into Zylon check the following link, by default everybody in the Directory can access Zylon and will be granted the `member` role

[https://learn.microsoft.com/en-us/entra/identity/enterprise-apps/what-is-access-management](https://learn.microsoft.com/en-us/entra/identity/enterprise-apps/what-is-access-management)