Security Settings
      Back to home
      1. KB
      2. Configuration
      3. Security Settings

      Sign in with Microsoft

      Configure the "Sign in with Microsoft" feature to allow users log in to the Cloudmore platform using their Microsoft credentials, streamlining access and enhancing security through Single Sign-On (SSO).

      Overview

      The "Sign in with Microsoft" functionality allows users to sign in to the Cloudmore platform using their Microsoft credentials, simplifying access for users who prefer to use a single set of credentials across platforms.  

      This feature reduces the need to remember multiple sets of credentials and enhances security by leveraging Microsoft’s Single Sign-On (SSO) capabilities. It is particularly useful for Microsoft partners who manage multiple tenants or frequently log into other platforms with their Microsoft accounts. 

      Key Features 

      1. Enable Microsoft SSO: Allows Cloudmore Broker and Organisation users to log in with their Microsoft credentials.  
      2. Enforce Microsoft SSO: You can enforce that all Broker and Organisation users must log in exclusively via Microsoft SSO or SAML-based SSO (if both are enabled). 
      3. Use your own, white-labeled Azure application for user authorisation. 

      How to enable Microsoft multi-tenant SSO Sign-in

      Microsoft SSO can be enabled from the Security Center page. The user needs to have the Cloudmore Broker Super Admin role as it has full access to the Security Center. Broker Global Admin and Broker Global View Only Admin roles have read-only access. 

      A screenshot of a white background Description automatically generated

      1. Navigate to the "Security Center" page under the "Broker" menu.
      2. Check the box for "Use Microsoft multi-tenant SSO" to allow Broker and Organisation users to log in with Microsoft credentials.
      3. Click "Update" to apply the settings. 

      NOTE: Enabling the Microsoft SSO adds the ‘Sign in with Microsoft’ button on the main page if you have a branded URL configured.  If you don’t have a branded URL, the button will be visible all the time, but the sign-in will work only after the functionality has been enabled.

      Use your own white-labelled Azure application for sign-in (optional, branded brokers only) 

      Since your customers’ admins will need to provide consent to use the application, you may want to create and publish your own application in the Azure portal for a more seamless white-labeling and governance experience. This option is available for the Brokers who use a branded URL page.

      Once a broker with branded login enables Microsoft multi-tenant SSO, additional fields will appear for entering details of their own Azure application. By default, if these fields are left blank, Microsoft sign-in authorization will be handled by the Cloudmore application, where Cloudmore will appear as the publisher. 

      1. Enter your Azure application ID in the “Application ID” field.
      2. Enter your Azure application secret in the “Application secret” field.
      3. The login redirect URL is populated automatically and is the same as the Branded URL from your Cloudmore Broker -> Branding -> Branded login page.
      4. Click "Update" to apply the settings.
      5. *Your application details will be encrypted and securely stored in Cloudmore.
        1. Clicking “Clear application settings” button will remove the application details completely from the Cloudmore database.

      REQUIREMENTS FOR THE AZURE APPLICATION

      When creating your Azure application, make sure that it has the following properties:

      1. Authentication - Supported account types: Accounts in any organizational directory (Any Microsoft Entra ID tenant - Multitenant)
      2. API permissions: User.Read
      3. Authentication - Redirect URIs: add your Cloudmore Branded URL in the list

      Enforce login via Microsoft SSO (optional)

      You can enforce Single Sign-On for all the Broker and Organisation users. If both Microsoft and SAML-based SSO options are enabled, users will be able to log in using either method. The enforcement of this setting for SAML-based SSO will be applied at the Organisation level only if enabled for organisations.
       

      1. Check the box labeled "Require Single Sign-On (SSO) to log in" under the "Security settings" section.
      2. Click "Update" to apply the settings. 

      Sign in with Microsoft SSO

      Once Microsoft multi-tenant SSO is enabled, Broker and Organisation users will be able to use the "Sign in with Microsoft" option to log in to the Cloudmore platform. 

      NOTE: In order to successfully log in using Microsoft SSO, the user's "Username" in Cloudmore should match the email address used for Microsoft authentication.

      1. Click the "Sign in with Microsoft" button on the main page.
        A screenshot of a login page Description automatically generated
      2. When logging in for the first time, you will be redirected to the Microsoft authentication screen where you can enter your Microsoft credentials.
      3. Upon successful Microsoft authentication, you will be redirected back to the Cloudmore platform, where the system will verify the authentication response and logs you in.

      After first sign-in, if you are already signed in with Microsoft in your browser, the login details will be fetched automatically.

      Best practices

      1. Ensure all users have matching usernames: Make sure the email used for Microsoft authentication is the same as the user’s Cloudmore username.

      2. Enforce SSO strategically: If enforcing SSO, ensure all users are informed about the changes and have set up their accounts correctly. It’s recommended to enable SSO during a time of minimal system activity to avoid disruption.