Skip to main content
Connecting Microsoft Entra ID lets your people sign in to Iru - and reach the apps you have assigned them - using the Microsoft accounts they already have. Iru provides a Microsoft Entra ID template that pre-fills the standard configuration, so this is one of the quickest providers to connect.
Most organizations that use Iru Identity as their identity provider have people sign in directly with a passkey or the Iru Access app. Connect Microsoft Entra ID when you use Iru Identity as an authentication layer into the Iru platform rather than your primary identity provider, or to ease a migration onto Iru Identity. See Federated Authentication.
You need administrator access to your Iru tenant, and access to your Microsoft Entra ID administrator portal, to complete this connection.

Before you begin

1

Register an application in Microsoft Entra ID

In the Microsoft Entra admin center, register an application for Iru. Add the redirect URI Iru shows for this connection as a Web redirect URI, create a client secret, and grant the standard sign-in permissions (openid, profile, email, and User.Read) - granting admin consent if your tenant requires it. Note the application’s client ID and client secret and your Entra ID domain (for example, contoso.onmicrosoft.com) to enter into Iru. Microsoft’s portal can change - follow Microsoft’s current documentation if the steps differ.
2

Confirm your sign-in domains

Note the email domains your people sign in with. You can restrict the connection to these domains so only people in them use it.
3

Make sure your people exist in Iru

Sign-in through a connection resolves to an existing Iru user. Add or import your people first - see Importing users or Directory Sync.

Connect Microsoft Entra ID

Add the connection

In Access → Authentication, add an authentication method and choose the Microsoft Entra ID template. Using the template fills in the standard settings for you.

Enter your Entra ID details

Provide your Microsoft Entra ID domain, the client ID, and the client secret from the application you registered. Iru uses these to establish trust with your Entra ID tenant.

Choose what the connection is used for

Select the connection’s use cases - end-user sign-in, device enrollment, or both. Most setups enable end-user sign-in.

Restrict to your domains

If you want only people in specific email domains to use this connection, enable domain restrictions and add those domains.

Set user matching

Choose how Iru matches a Microsoft sign-in to an Iru user - by UPN, username, external ID, or a custom attribute. Pick a value that is unique and stable for every person.

Save the connection

Save, then sign in as a test user whose email is in an allowed domain to confirm the hand-off to Microsoft works end to end.
If you intend to use this connection for device enrollment, you may need to enable domain restrictions first. Configure your domains before turning on the device enrollment use case.
Test with a single user before rolling the connection out broadly. If sign-in fails to land on the right person, revisit your user matching choice - the matched value must be present and unique for everyone who uses the connection.

How sign-in works once connected

When someone signs in, Iru hands the sign-in off to Microsoft Entra ID, Entra ID confirms the person, and Iru continues the session - then evaluates the app’s authentication policy before granting access. For the full picture, see System architecture.

Federated Authentication

Use cases, domain restrictions, and user matching, explained in one place.

Google Workspace

Connect Google Workspace for sign-in with its own template.

Sign-in experience

Shape what people see when they sign in.

Custom OIDC

Connect an OpenID Connect provider that is not covered by a template.