Search

Microsoft SSO

The OpenApply Team
The OpenApply Team
  • Updated

Microsoft SSO Integration (OAuth 2.0)

By enabling Microsoft Single Sign-On (SSO), your school can leverage the secure, industry-standard OAuth 2.0 protocol to manage authentication. This integration allows staff users to conveniently and securely log in to OpenApply using their existing Microsoft Entra credentials, eliminating the need to remember a separate password.

Important Note on User Roles:
This feature is designed specifically for school staff. Parent accounts, students, and other user types are not supported through this Microsoft SSO integration at this time.

Account Prerequisites for Successful Login:
Because the OAuth 2.0 authorization flow relies on email matching to verify identity, the staff member must already have an active profile created in OpenApply. Furthermore, the email address associated with their OpenApply account must exactly match the primary email address of their Microsoft account. If the account does not exist in OpenApply beforehand, or if the emails do not match, the SSO login will fail.

 

Enabling the SSO Feature

To enable this feature, navigate to Settings > Integrations > Microsoft Entra Identity Integration and enter your credentials here. Please note that only staff users can log in using a Microsoft account.

 

Configuration on Microsoft Entra

The following configuration steps must be applied by the administrator of your Microsoft Entra system. They need to perform the following actions:

  • Set the redirect URL in your Microsoft application registration, depending on your region:
    • https://[school-subdomain].openapply.com/auth/entra_id/callback
    • https://[school-subdomain].openapply.cn/auth/entra_id/callback
    • https://[school-subdomain].openapply.eu/auth/entra_id/callback
  • Update the Account Type setting:
    • Multitenant: Accounts in any organizational directory
  • Grant admin consent for the following Microsoft Graph APIs:
    • email
    • Group.Read.All
    • openid
    • profile
    • User.Read

Please review the following screenshots for verification:

Unknown2.png
Unknown.png

Group Allow Feature

By enabling the Group Allow feature, you can restrict OpenApply access so that only members of specific Microsoft groups can log in successfully. You can obtain the necessary Group IDs from the Microsoft Entra admin center. When adding a group in OpenApply, the group name cannot be left blank, though the description is optional.

Share

Was this article helpful?

0 out of 0 found this helpful