Enabling SSO for Azure AD (Microsoft Entra ID)

Overview

SiteDetour's SSO integrates with Microsoft Entra ID (Azure AD) via OpenID Connect on top of OAuth 2.0. This article walks through the Azure-side Enterprise App registration and the SiteDetour-side configuration.

Plan requirement

SSO is available on Business and Enterprise plans. Verify your plan on Billing before starting. On lower plans, the SSO page is read-only.

What you need from Azure

By the end of this article, you'll have:

• An Application (client) ID (from the Azure Enterprise App Overview).
• A Client secret (from Certificates & secrets).
• A Tenant-scoped issuer URL — https://login.microsoftonline.com/{tenant-id}/v2.0.

What you need from SiteDetour

The Reply URL for your organization. Find it at SSO.

Azure: register the Enterprise App

1. Sign in to the Azure portal and navigate to Microsoft Entra ID → Enterprise applications.
2. Click New application.
3. Choose Register an application you're working on to integrate with Microsoft Entra ID. SiteDetour is not listed in the Entra gallery, so use the generic registration.
4. Give it a name (e.g. SiteDetour SSO) and select the supported account type. Single tenant is usually correct.
5. Under Redirect URI, pick Web and paste the SiteDetour Reply URL.
6. Register.

Azure: generate a client secret

1. Open the newly registered app.
2. Navigate to Certificates & secrets.
3. Click New client secret. Add a description and set an expiry (24 months is a common choice).
4. Copy the secret's Value immediately. Azure only shows it once.

Azure: find the Application (client) ID

Navigate to Overview. The Application (client) ID is shown near the top — copy it.

Azure: configure API permissions (optional)

By default SiteDetour requests the standard openid, profile, and email scopes. These are granted automatically for Enterprise Apps in most tenants. If your tenant requires admin consent, grant it from the API permissions tab.

SiteDetour: configure the driver

1. Open SSO.
2. Toggle Enabled on.
3. Pick Azure AD in the Driver dropdown (or Microsoft Entra ID if listed).
4. Paste the Client ID (from Azure Overview).
5. Paste the Client Secret (the value you copied in Certificates & secrets).
6. Paste the Base URL — https://login.microsoftonline.com/{tenant-id}/v2.0. Replace {tenant-id} with your Azure tenant ID.
7. Click Save.

Testing the integration

Sign out of SiteDetour. Visit sitedetour.com/login/sso and enter your organization email. You should be redirected to the Microsoft login screen, and on successful authentication, signed in to SiteDetour.

Adding users

Every user who will authenticate via Azure SSO must first be invited to SiteDetour on the Organization page. See Inviting your team.

SiteDetour doesn't auto-provision from Azure — you stay in control of who has access.

Troubleshooting

• AADSTS50011: redirect URI mismatch. Azure rejects the callback because the URI doesn't match what's registered. Copy the Reply URL from SiteDetour again and re-enter it in Azure.
• "User not found" after Azure login. The email returned by Azure must match an invited SiteDetour user. Check for case mismatch or UPN vs. email differences.
• Client secret expired. Azure client secrets expire. Generate a new one in Certificates & secrets, paste the new value into SiteDetour SSO, save.

Rotating the client secret

Before your current secret expires: create a new one in Azure, paste into SiteDetour, save. Once confirmed working, delete the old secret from Azure. Do this proactively on a ~24-month cadence.

Next steps

• SSO overview and supported providers
• Managing users
• Enabling MFA