Single Sign On (SSO) Configuration - Entra ID
Entra ID SSO
Enabling Single Sign On (SSO), allows admins to manage access for their instance through Entra ID SSO. ScoutDNS uses the Open ID Connect (OIDC) protocol for secure commination with Entra ID.
SSO will disable all existing ScoutDNS platform Admin, Service Desk, and Viewer accounts. These roles will only be allowed to login via Entra ID. Super Admin and Organization Operator roles are unaffected.
Configure Tenant ID in ScoutDNS
The first step you will need to take setting your Entra ID Tenant ID in ScoutDNS. This tells ScoutDNS what Microsoft Entra ID tenant to process sign in for. Your Entra ID Tenant ID can be found in the Entra ID admin portal at the Home or Overview tab. Locate the Tenant ID and copy using the copy button provided in the UI.
Within ScoutDNS, navigate to the Access Management page found under the person icon at the top right of the UI. Select the SSO subtab. You will need to click through a warning about how enabling SSO will affect existing ScoutDNS admins. Enabling SSO will disable all existing ScoutDNS platform Admin, Service Desk, and Viewer accounts. These roles will only be allowed to login via Entra ID. Super Admin and Organization Operator roles are unaffected.
In the Access Managment SSO config page on ScoutDNS, locate the Tenant ID field and paste the Entra ID Tenant ID which you just copied from your Entra ID console here. Press Save. You can toggle on/off the Enable Connection switch at any time to disable SSO however, you will need it on to complete the configuration.
Authorize ScoutDNS to Entra ID
Now you will need to grant ScoutDNS permission to read user profiles and groups from Entra ID. Click here to authorize and login with an Entra ID account that has sufficient access to grant these permissions.
Configure Entra ID Roles to ScoutDNS Roles
Go to your Entra ID admin console and locate ScoutDNS within Enterprise Applications. Select the ScoutDNS APP and locate the Users and Groups tab under the Manage section on the left side bar. You can now assign Entra ID users or groups to specific ScoutDNS roles: ScoutDNS_Admin, ScoutDNS_Service_Desk, and ScoutDNS_Viewer.
Login with Microsoft
SSO users can now login through the main ScoutDNS login page found at cloud.scoutdns.com and selecting the "Login with Microsoft" link.
Things to Remember:
The only non SSO accounts able to login with SSO turned on are the Super Admin, which allows SSO to be disabled if needed, and Organization Operators, who are intended to be external users outside your organization with limited access rights. You can keep both ScoutDNS and Entra ID users configured to ScoutDNS so that if SSO needs to be disabled, previously added ScoutDNS accounts would now be able to login with the standard non-SSO login process. Be sure to keep MFA enabled to protect the Super Admin account at all times.
You can keep both ScoutDNS and Entra ID users configured to ScoutDNS so that if SSO needs to be disabled, previously added ScoutDNS accounts would now be able to login with the standard non-SSO login process.
Legacy SSO
This is our legacy SSO setup instructions for accounts using the unique login URL access with a custom assigned Enterprise Application.
Configuring SSO for Entra ID requires setting up an Enterprise Application through App Registration. This allows Microsoft Entra ID APIs to comminate with ScoutDNS and manage authenticated users. You will be able to assign Entra ID users and groups to ScoutDNS and map your Entra ID roles to ScoutDNS application roles.
Register Application
To get started, go to your Entra ID Admin Center:
Select App Registrations under the Applications tab on the left side menu and select New Registration. Enter ScoutDNS as the application name and choose "Accounts in any organizational directory (Any Microsoft Entra ID tenant - Multitenant)" for account types. Under Redirect URI select Single Page Application and input https://app.scoutdns.com/login/sso/ in the field. When complete press the Register button at the bottom.
Set Token Type
Next you will need to set token type. This can be found under the Authentication subtab for Platform Configurations under the app you just registered.
Configure API Permissions
Now you must configure the OpenID API permissions in order to have ScoutDNS check Entra ID user access settings. Navigate to API Permissions on the App Registration subtab. You will need set the following permissions:
User.Read' - to sign in and read basic user info. (this is set by default)
'openid' - to sign in as well.
'profile' - to read user's profile
'email' - to also read user email address. It will be used for identifying user in our system.
The first one is set for you. To add the other three, you will need to select Add a Permission. Choose Microsoft Graph and select the three addition options shown under Open Id Permissions. The press Add Permissions button at bottom of page.
Create and Assign Application Roles
The next step involves creating the application roles that will be mapped to the ScoutDNS side. You need at least one role. Navigate to the App Roles subtab and choose Create App Role at top center. We recommend naming the roles as follows setting the Display name and value as the same. You can enter a description for clarification. Choose to enable the app role via the checkbox.
ScoutDNS_Admin
ScoutDNS_Viewer
You can now assign specific users and/or groups to your application. Exit App Registration and navigate to Enterprise Application. Then select ScoutDNS and add a user/group as desired and assign the role as needed.
Setup ScoutDNS portal for SSO
Now we need to configure the ScoutDNS side for SSO. Under Access Management choose the SSO sub-tab at the top left. Ensure enable connection is on.
Input Client and Tenant ID
You will need to input the Client ID and Tenant ID from your Entra ID App Registration page in the ScoutDNS app you registered.
From Entra ID copy the Application (client) ID and paste into the Client ID field on the ScoutDNS portal. Next, copy the Directory (tenant) ID entry and paste into the ScoutDNS portal for the Tenant field.
Map Entra ID Roles to ScoutDNS
At this point let's set the roles as entered in to Entra ID so they can be matched on the ScoutDNS side. Enter the role for both Admin, Service Desk, and Viewer as shown above. Now this save.
Link ScoutDNS Login Page
You can now copy the unique login URL that Entra ID will need to access ScoutDNS. Copy your unique URL from the ScoutDNS portal. Finally, return to the App Registration section and under the ScoutDNS registration you created, navigate to Branding and Properties. Paste your unique ScoutDNS Login URL into the Entra ID Home Page URL field and save.
That's it. From this point you simply need to assign the application and make visible to users as desired in Entra ID.
A few things to remembers:
SSO will disable all ScoutDNS platform Admin and Viewer accounts. These user types will now only be allowed to login view Entra Id SSO. Super Admin and Organization operator accounts are exempt from SSO. For the Super Admin account, it can act now as a backup in case something were to happen with the Entra ID connection. Be sure to enable 2FA. Organization operators are exempt as this account type is meant to work with external organization, partner, or end customer accounts. Keep in mind that Organization Operators have limited permissions for both Manager and Viewer.
Related Articles
Configure AD (Active Directory) Polices
ScoutDNS supports policy by user groups as synced from Active Directory. This can be helpful when admins desire policy decisions to follow the user regardless of the device and device profile in use. This guide walks through how ScoutDNS performs the ...Organizations - Configuration and Management of Multi-Tenant Use
ScoutDNS provides two levels of tenancy. The primary inherent level allows any operator to be a member of any number of accounts and could have different roles depending on each account setting. The second level enabled though the Organizations tab ...Relay - Setup and Configure
ScoutDNS supports a Relay configuration which allows operators to install a lightweight service inside their network. The relay is a local forwarding resolver service that processes queries inside the operator network while relaying public queries to ...Quick Start Setup Guide - WAN Forwarding
There are three methods you can use to protect your networks and users with ScoutDNS. 1) WAN Forwarding: involves configuring ScoutDNS with your WAN IP address and then forwarding DNS queries from inside your network us our anycast resolver IPs. ...2FA/MFA - Two Factor Authentication
Enabling 2FA for your account can increase the security for operators accessing your data. ScoutDNS supports token based 2FA and this can be enforced for all operators with access to an account. Once enabled, any operator accessing your account will ...