Go back to the web Sign In

Microsoft Entra ID (Azure AD) SSO Setup Guide

This guide walks you through configuring Microsoft Entra ID (formerly Azure Active Directory) as your Identity Provider (IdP) for CRA Evidence single sign-on.

Prerequisites

  • Microsoft Entra ID administrator access (Global Administrator or Application Administrator)
  • CRA Evidence organisation admin access
  • Your company email domain (e.g., company.com)

Step 1: Get CRA Evidence SP Information

Before configuring Entra ID, gather the Service Provider (SP) information from CRA Evidence:

  1. Log in to CRA Evidence as an organisation admin
  2. Go to Settings > Single Sign-On
  3. Note the following values:
    • Entity ID (Identifier): https://app.craevidence.com
    • Reply URL (ACS): https://app.craevidence.com/api/v1/saml/acs

Step 2: Create Enterprise Application

  1. Sign in to the Microsoft Entra admin center (https://entra.microsoft.com)
  2. Navigate to Identity > Applications > Enterprise applications
  3. Click + New application
  4. Click + Create your own application
  5. Enter:
    • Name: CRA Evidence
    • Select: Integrate any other application you don't find in the gallery (Non-gallery)
  6. Click Create

Step 3: Configure SAML SSO

  1. In your new CRA Evidence application, go to Single sign-on
  2. Select SAML

Basic SAML Configuration

Click Edit on the Basic SAML Configuration section:

Field Value
Identifier (Entity ID) https://app.craevidence.com
Reply URL (ACS URL) https://app.craevidence.com/api/v1/saml/acs
Sign on URL https://app.craevidence.com/login
Relay State (leave blank)
Logout URL https://app.craevidence.com/api/v1/saml/sls

Click Save

Attributes & Claims

Click Edit on the Attributes & Claims section:

Required claim (already configured):

Claim name Value
Unique User Identifier (Name ID) user.userprincipalname or user.mail

Add additional claims:

Click + Add new claim for each:

Name Source Source attribute
email Attribute user.mail
firstName Attribute user.givenname
lastName Attribute user.surname
displayName Attribute user.displayname

Click Save

SAML Certificates

  1. In the SAML Certificates section, find Certificate (Base64)
  2. Click Download to download the certificate
  3. Note the App Federation Metadata Url (optional, for metadata import)

Set up CRA Evidence

From the Set up CRA Evidence section, copy:

Field Description
Login URL This is your IdP SSO URL
Azure AD Identifier This is your IdP Entity ID
Logout URL This is your IdP SLO URL

Step 4: Configure CRA Evidence

  1. In CRA Evidence, go to Settings > Single Sign-On
  2. Click Add Identity Provider
  3. Fill in the form:
Field Value
Name Microsoft Entra ID (or your preferred name)
Vendor Microsoft Entra ID (Azure AD)
Entity ID The "Azure AD Identifier" from Entra
SSO URL The "Login URL" from Entra
SLO URL The "Logout URL" from Entra
X.509 Certificate Open the downloaded certificate and paste contents

Provisioning Settings:

Field Recommended Value
JIT Provisioning Enabled
Default Role Member
Update on Login Enabled
  1. Click Add Identity Provider

Step 5: Add SSO Domain

  1. In CRA Evidence SSO settings, go to Domains
  2. Click Add Domain
  3. Enter your email domain (e.g., company.com)
  4. Select the Entra ID IdP you just created
  5. Click Add Domain

Verify Domain Ownership

  1. Add a DNS TXT record:
    • Host: _craevidence-verification
    • Value: (the token shown in CRA Evidence)
  2. Wait for DNS propagation (up to 48 hours)
  3. Click Verify Now in CRA Evidence

Step 6: Assign Users in Entra ID

  1. In Entra admin center, go to your CRA Evidence application
  2. Go to Users and groups
  3. Click + Add user/group
  4. Select users or groups who should have access
  5. Click Assign

Note: By default, user assignment is required. If you want all users to access without assignment:

  1. Go to Properties
  2. Set Assignment required? to No

Step 7: Test SSO

  1. Open a new incognito/private browser window
  2. Go to https://app.craevidence.com/login
  3. Enter an email address from your SSO domain
  4. You should be redirected to Microsoft login
  5. Authenticate with your Microsoft credentials
  6. You should be redirected back to CRA Evidence, logged in

Optional: Enable SSO Enforcement

Once testing is successful, you can require SSO for all users:

  1. Go to Settings > Single Sign-On > Enforcement
  2. Enable Require SSO for all users
  3. Optionally enable Allow admins to bypass SSO
  4. Click Save Settings

Troubleshooting

"AADSTS50011" - Reply URL Mismatch

  • Verify the Reply URL in Entra exactly matches: https://app.craevidence.com/api/v1/saml/acs
  • Check for trailing slashes or http vs https

"AADSTS700016" - Application Not Found

  • Ensure the Identifier (Entity ID) matches exactly
  • Verify the application is properly configured in Entra

User Not Being Created

  • Confirm JIT Provisioning is enabled in CRA Evidence
  • Verify the user has the email claim populated
  • Check that the user is assigned to the application in Entra

Certificate Errors

  • Download a fresh certificate from Entra
  • Ensure you're using the Base64 format
  • Include the -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- lines

"User not assigned to application"

  • Go to Users and groups in the Entra application
  • Assign the user or their group
  • Or set Assignment required? to No in Properties

Advanced Configuration

Conditional Access

You can use Entra Conditional Access policies to:

  • Require MFA for CRA Evidence access
  • Restrict access by location or device
  • Block risky sign-ins

Group Claims

To send group information (for future role mapping):

  1. In Attributes & Claims, click + Add a group claim
  2. Select groups to include
  3. Configure the claim name

Token Encryption (Optional)

For additional security:

  1. Generate an encryption certificate
  2. Upload to CRA Evidence SP configuration
  3. Enable encrypted assertions in CRA Evidence IdP settings

Security Recommendations

  1. Enable Conditional Access for additional security
  2. Use Security Groups to control access
  3. Monitor Sign-in Logs in Entra for suspicious activity
  4. Set Token Lifetime policies appropriately
  5. Enable MFA through Conditional Access

Support

If you encounter issues:

  1. Check the SAML SSO Architecture documentation
  2. Review Entra sign-in logs for detailed error messages
  3. Contact CRA Evidence support at support@craevidence.com
  4. Provide:
    • Error message (including Entra error codes like AADSTS...)
    • Screenshot of Entra application configuration
    • CRA Evidence IdP configuration (without certificate)
Last updated February 27, 2026
Was this page helpful?
Thanks for your feedback!

Help us improve. What was missing or unclear?