Skip to main content

Single Sign-On (SSO) with Microsoft Entra ID

Configure Single Sign-On (SSO) between Kivo and Microsoft Entra ID (formerly Azure AD), including admin consent steps, authentication flow details, and what to expect during setup and login.

C
Written by Casey Huxtable
Updated yesterday

Required Roles: N/A

Required Permissions: Workspace Manager

⚠️ Important Note on Entra SSO Options

Kivo supports two Microsoft Entra ID integration methods, but they provide different levels of access control.

Option 1 (Basic Microsoft Login) allows users to authenticate with their Microsoft account but does not enforce access control through Entra. User access is managed entirely within Kivo.

For organizations that require control over user access, guest users, or conditional access policies, Option 2 (SAML / Enterprise Application) is recommended.

Introduction

This article explains how to configure single sign-on (SSO) between Kivo and Microsoft Entra ID (formerly Azure Active Directory). It outlines how each integration approach works, what level of control is provided, and what to expect during setup.

Overview

Microsoft Entra ID is Microsoft’s cloud-based identity and access management service. When integrated with Kivo, it allows users to sign in using their Microsoft credentials.

Kivo supports two different Entra ID integration approaches, which differ significantly in how authentication and access control are handled.

Integration Models

Kivo supports two Entra ID integration approaches.

Option 1 – Kivo-Managed App Registration

This option allows users to sign in to Kivo using their Microsoft credentials through a Kivo-managed Entra integration.

Customers grant admin consent to Kivo’s application, allowing Kivo to read basic profile information (such as email address) during login.

Important Behavior

  • This method does not enforce access control within your Entra tenant

  • It does not restrict users based on Entra assignment, groups, or conditional access

  • It simply allows users to authenticate with Microsoft as an identity provider

In this model, user access is determined entirely within Kivo.

If a user:

  • Exists in Kivo, and

  • Is not removed or deactivated in Kivo

They will continue to be able to log in, even if changes are made to their account in Entra ID.

Pros

  • Simple and fast to set up

  • No customer-side application management required

Cons

  • No Entra-based access enforcement

  • No control over guest user access from Entra

  • No support for enforcing assignment, groups, or conditional access policies

  • Access must be managed manually in Kivo

Option 2 – Customer-Managed App Registration

This option uses a SAML-based Enterprise Application configured directly in your Entra tenant.

Key Characteristics

  • Authentication and access are enforced within your Entra tenant

  • Users must:

    • Exist in your tenant

    • Be assigned to the application

    • Meet any Conditional Access or MFA requirements

Pros

  • Full control using Entra (assignment, groups, conditional access, MFA)

  • Proper enforcement of guest user access

  • Alignment with standard enterprise SSO practices

Cons

  • Slightly more complex setup

  • Requires configuration in Entra

How Authentication Works

Option 1 (Basic Microsoft Login)

  1. User clicks “Sign in with Microsoft”

  2. User authenticates with Microsoft

  3. Microsoft returns identity information to Kivo

  4. Kivo validates the response

  5. Kivo grants access if the user exists in Kivo

Access is controlled by Kivo, not Entra.

Option 2 (SAML / Enterprise Application)

  1. User initiates login from Kivo

  2. User is redirected to your Entra tenant

  3. Entra authenticates the user

  4. Entra evaluates:

    • User assignment

    • Group membership

    • Conditional access policies

  5. Entra returns a SAML response to Kivo

  6. Kivo grants access based on a successful response

Access is controlled by your Entra tenant.

Configuration Steps

Configuration Steps (Option 1 - Kivo-Managed App)

Step 1 – Identify Your Entra ID Tenant

  1. Log in to the Azure portal

  2. Navigate to Microsoft Entra ID

  3. Locate your Primary Domain

Step 2 – Grant Admin Consent

  1. Copy the URL below

  2. Replace [[Your Domain]] with your tenant domain

  3. Paste the URL into a browser and sign in as an Entra ID admin

https://login.microsoftonline.com/[[Your Domain]]/adminconsent?client_id=fa5ce509-b556-442b-831f-4c5bb5e589f1&redirect_uri=https%3A%2F%2Fkivo.io

This grants Kivo read-only access to user profile data for authentication.

Step 3 – Notify Kivo

Once consent is complete:

  • Notify your Kivo point of contact or [email protected]

  • Kivo completes the remaining configuration

  • SSO is enabled for your workspace

Post-Configuration Behavior

  • Users log in via the Kivo login page

  • Users select “Sign in with SSO”

  • After first login, future sessions may redirect automatically

  • User access is controlled within Kivo

Configuration Steps (Option 2 – SAML / Enterprise Application)

Because this configuration is specific to your organization, setup instructions will be provided with values tailored to your Entra tenant and Kivo workspace (including identifiers and URLs). To proceed with this option, please contact [email protected] or your Kivo point of contact, and we will provide the required configuration details and guide you through setup.

Recommendation

For organizations that require control over:

  • User access and assignment

  • Guest user restrictions

  • Conditional access policies

  • MFA enforcement

Kivo recommends using Option 2 (SAML / Enterprise Application).

Related Articles or Next Steps

Related Articles
Multi-Factor Authentication (MFA) with Kivo
Resetting Passwords
How to Clear Cache and Cookies in Browser
Inviting New Users
Single Sign-On (SSO) Overview
Did this answer your question?