The first step is to set your Entra ID Tenant ID in ScoutDNS. This tells ScoutDNS which Microsoft Entra ID tenant to use for sign-in processing.

Your Entra ID Tenant ID can be found in the Entra ID admin portal on the Home or Overview tab. Locate the Tenant ID and copy it using the copy button provided in the UI.

In ScoutDNS, navigate to the Access Management page, found under the person icon at the top right of the UI. Select the SSO subtab. You will need to acknowledge a warning about how enabling SSO affects existing ScoutDNS admins.

Important: Enabling SSO will disable all existing Admin, Service Desk, and Viewer accounts on the ScoutDNS platform. These roles will only be able to log in via Entra ID. However, Super Admin and Organization Operator roles are unaffected.

On the Access Management SSO configuration page in ScoutDNS, locate the Tenant ID field and paste the Entra ID Tenant ID you copied from the Entra ID console. Press Save.

You can toggle the Enable Connection switch on or off at any time to disable SSO. However, you must enable it to complete the configuration.

Now you will need to grant ScoutDNS permission to read user profiles and groups from Entra ID.  Click here to authorize and login with an Entra ID account that has sufficient access to grant these permissions.  

Go to your Entra ID admin console and locate ScoutDNS within Enterprise Applications. Select the ScoutDNS app and navigate to the Users and Groups tab under the Manage section on the left sidebar. You can now assign Entra ID users or groups to specific ScoutDNS roles: ScoutDNS_Admin, ScoutDNS_Service_Desk, and ScoutDNS_Viewer.

The only non-SSO accounts able to log in when SSO is enabled are the Super Admin, which allows SSO to be disabled if needed, and Organization Operators, who are intended to be external users with limited access rights.

You can keep both ScoutDNS and Entra ID users configured in ScoutDNS so that if SSO needs to be disabled, previously added ScoutDNS accounts can log in using the standard non-SSO login process.

Be sure to keep MFA enabled to protect the Super Admin account at all times.

This is our legacy SSO setup guide for accounts using a unique login URL with a custom-assigned Enterprise Application.

Configuring SSO for Entra ID requires setting up an Enterprise Application through App Registration. This allows Microsoft Entra ID APIs to communicate with ScoutDNS and manage authenticated users. You will be able to assign Entra ID users and groups to ScoutDNS and map your Entra ID roles to ScoutDNS application roles.

To get started, go to your Entra ID Admin Center:

1. Select App Registrations under the Applications tab on the left-side menu and click New Registration.

2. Enter ScoutDNS as the application name.

3. For Account types, choose "Accounts in any organizational directory (Any Microsoft Entra ID tenant - Multitenant)".

4. Under Redirect URI, select Single Page Application and input https://app.scoutdns.com/login/sso/ in the field.

5. When complete, press the Register button at the bottom.

Now you must configure the OpenID API permissions to allow ScoutDNS to check Entra ID user access settings.

1. Navigate to API Permissions on the App Registration subtab.

2. You will need to set the following permissions:

   • User.Read – Allows signing in and reading basic user info. (This is set by default.)

   • openid – Required for signing in.

   • profile – Allows reading the user's profile.

   • email – Allows reading the user's email address, which will be used to identify the user in our system.

3. Since User.Read is already set by default, you only need to add the other three:

   • Select Add a Permission.

   • Choose Microsoft Graph and select the three additional options under OpenID Permissions.

   • Press the Add Permissions button at the bottom of the page.

The next step involves creating the application roles that will be mapped to ScoutDNS. You need at least one role.

1. Navigate to the App Roles subtab and select Create App Role at the top center.

2. We recommend naming the roles as follows, setting both the Display name and Value to the same name.

3. You can enter a description for clarification.

4. Enable the app role by selecting the checkbox.

ScoutDNS_Admin

ScoutDNS_Viewer

You can now assign specific users and/or groups to your application.

1. Exit App Registration and navigate to Enterprise Applications.

2. Select ScoutDNS.

3. Add a user or group as needed and assign the appropriate role.

Now we need to configure ScoutDNS for SSO.

1. Under Access Management, select the SSO sub-tab at the top left.

2. Ensure that Enable Connection is turned on.

You will need to input the Client ID and Tenant ID from your Entra ID App Registration page into the ScoutDNS app you registered.

1. In Entra ID, copy the Application (client) ID and paste it into the Client ID field in the ScoutDNS portal.

2. Next, copy the Directory (tenant) ID and paste it into the Tenant field in the ScoutDNS portal.
   

At this point, let's set the roles as entered in Entra ID so they can be matched on the ScoutDNS side.

1. Enter the roles for Admin, Service Desk, and Viewer as shown above.

2. Save the settings.

You can now copy the unique login URL that Entra ID will use to access ScoutDNS.

1. Copy your unique URL from the ScoutDNS portal.

2. Return to the App Registration section in Entra ID.

3. Under the ScoutDNS registration you created, navigate to Branding and Properties.

4. Paste your unique ScoutDNS login URL into the Entra ID Home Page URL field and save.

That's it! From this point, you simply need to assign the application and make it visible to users as desired in Entra ID.

SSO will disable all ScoutDNS platform Admin and Viewer accounts. These user types will now only be allowed to log in via Entra ID SSO.

Super Admin and Organization Operator accounts are exempt from SSO. The Super Admin account can serve as a backup in case there are issues with the Entra ID connection. Be sure to enable 2FA for added security.

Organization Operators are also exempt, as this account type is designed for external organizations, partners, or end customers. Keep in mind that Organization Operators have limited permissions for both Manager and Viewer roles.