Microsoft Entra

Overview

Microsoft Entra is a cloud computing platform designed by Microsoft to successfully build, deploy, and manage applications and services through a global network of data centers. Integrating Microsoft Entra with the XMP allows you to:

enable users in the account to log in to the XMP using single sign-on (SSO) with their Microsoft credentials
create, update, and deactivate users in the hierarchy automatically using Entra Webhooks.

1 Overview
2 Prerequisites for Integrating with Microsoft Entra
3 Configure the Integration
4 Active Microsoft E Connections
5 How the Connection Works from a Security Standpoint
6 Allow user login from MyApps ( )

Prerequisites for Integrating with Microsoft Entra

Before Entra credentials can be used for SSO or hierarchy updates with an Account in Experience.com, an administrator with access to the organization’s Entra business account must have Account Manager or Organization Manager access in the XMP.

Configure the Integration

Follow these steps to configure Entra for an Account and allow users to utilize the SSO option:

Create a new Microsoft Entra Connection in the Account’s setup.
1. To create a new configuration, navigate to the Account Settings page and open the Ingestion Settings. Click Azure (note will be updated in UI soon - old name for now), and then click the blue New Connection button.

On the configuration menu that expands from the right side of the page, you will see a setting to Connect Azure Active Directory.

Note Connect Active Azure Directory should only be toggled on if you are planning to sync user profile data such as address, phone number and urls. It is not required for SSO login. If you are only using Azure for SSO, this toggle should remain off.
Enter valid Microsoft administrator login credentials into the Microsoft login page.
Upon initial login to the Entra business account from the XMP, Microsoft will request permission for application access. Enter a justification (i.e., 'enabling SSO', or 'automating hierarchy changes') then click the Request approval button.
1. After approving, your screen may display a message that states the request has been sent. In the next steps, you will log back into the Entra account to approve the request.
Go to https://azure.microsoft.com/en-us/ and sign in to the Entra business account again.
Once logged in to Entra as an administrator, locate the Admin consent requests within the Account Activity menu.
1. The request you just submitted from Experience.com should be on this page.

When the request details expand from the right side of the page, click Review Permissions and Consent.

You might be asked to log in one more time. Enter your account credentials on the page and click Next.

On the next screen, you will be asked to review the permissions that had just been requested via Experience.com. Click the blue Accept button.

Once the permissions have been accepted via Microsoft Entra, you will be redirected back to the XMP, where details about the newly established Microsoft Entra connection are displayed. You may exit from this menu as the connection has been established and activated.

Active Microsoft E Connections

When the Entra connection is established and activated, new users created within the integrated Entra Directory will be automatically added to the XMP with single sign-on capabilities. Existing users within the account will also be able to log in using SSO if their email address in the XMP matches the email address associated with their profile in Microsoft Entra.

Note is it recommended that Experience.com users are isolated to a separate user group on the Microsoft side as a best practice.

Any users with admin roles (Account Managers) alone will not be able to SSO into the platform without having a regular user profile. If Account Managers need SSO governance as well, user profiles will need to be added for them (note these do not have to be public - only internal).

How the Connection Works from a Security Standpoint

When the connection is established:

New users created in the integrated Entra Directory will be automatically added to the XMP with SSO capabilities.

Existing users can log in using SSO if their XMP email address matches their Entra profile email address.

If a user is created/updated in Entra, http://Experience.com will receive a webhook from Entra to update/create the user details on the XMP side.

Entra SSO Login Flow:

The http://Experience.com website includes a new option, "Login with Entra," which functions similarly to a Google login.

Clicking "Log in with Entra" redirects to the Microsoft Entra login page for Entra-based authentication.

After authentication, Microsoft calls back to the XMP's API (e.g., http://localhost:3000/auth/microsoft_graph_auth/callback) with a code.

Note http://localhost:3000/auth/microsoft_graph_auth/callback, is based on the Microsoft Graph API, which Microsoft confirmed is not being renamed to Entra Graph at this time.

Based on this callback, the XMP gets an auth token, validates the user, and redirects the user if they exist in the user table.

If the user is not present the redirect will not be authorized.

Allow user login from MyApps (https://myapps.microsoft.com/ )

Go to Enterprise application → Manage → properties

Change the below settings like the attached screenshot:

Enabled for users to sign-in? - yes
Visible to users? - yes

After enabling these settings, users can access our Experience.com app on Azure’s MyApps page (https://myapps.microsoft.com/ ).