Single Sign On (SSO) Configuration - Entra ID

Single Sign On (SSO) Configuration - Entra ID

Entra ID SSO

Enabling Single Sign On (SSO), allows admins to manage access for their instance through Entra ID SSO. ScoutDNS uses the Open ID Connect (OIDC) protocol for secure commination with Entra ID. 

Warning
SSO will disable all existing ScoutDNS platform Admin, Service Desk, and Viewer accounts. These roles will only be allowed to login via Entra ID. Super Admin and Organization Operator roles are unaffected. 

Configure Tenant ID in ScoutDNS


The first step is to set your Entra ID Tenant ID in ScoutDNS. This tells ScoutDNS which Microsoft Entra ID tenant to use for sign-in processing.

Your Entra ID Tenant ID can be found in the Entra ID admin portal on the Home or Overview tab. Locate the Tenant ID and copy it using the copy button provided in the UI.

In ScoutDNS, navigate to the Access Management page, found under the person icon at the top right of the UI. Select the SSO subtab. You will need to acknowledge a warning about how enabling SSO affects existing ScoutDNS admins.

Important: Enabling SSO will disable all existing Admin, Service Desk, and Viewer accounts on the ScoutDNS platform. These roles will only be able to log in via Entra ID. However, Super Admin and Organization Operator roles are unaffected.

On the Access Management SSO configuration page in ScoutDNS, locate the Tenant ID field and paste the Entra ID Tenant ID you copied from the Entra ID console. Press Save.

You can toggle the Enable Connection switch on or off at any time to disable SSO. However, you must enable it to complete the configuration.






Authorize ScoutDNS to Entra ID


Now you will need to grant ScoutDNS permission to read user profiles and groups from Entra ID.  Click here to authorize and login with an Entra ID account that has sufficient access to grant these permissions.  


Configure Entra ID Roles to ScoutDNS Roles


Go to your Entra ID admin console and locate ScoutDNS within Enterprise Applications. Select the ScoutDNS app and navigate to the Users and Groups tab under the Manage section on the left sidebar. You can now assign Entra ID users or groups to specific ScoutDNS roles: ScoutDNS_Admin, ScoutDNS_Service_Desk, and ScoutDNS_Viewer.




Login with Microsoft

SSO users can now login through the main ScoutDNS login page found at cloud.scoutdns.com and selecting the "Login with Microsoft" link.






Things to Remember:

The only non-SSO accounts able to log in when SSO is enabled are the Super Admin, which allows SSO to be disabled if needed, and Organization Operators, who are intended to be external users with limited access rights.

You can keep both ScoutDNS and Entra ID users configured in ScoutDNS so that if SSO needs to be disabled, previously added ScoutDNS accounts can log in using the standard non-SSO login process.

Be sure to keep MFA enabled to protect the Super Admin account at all times.


IdeaYou can keep both ScoutDNS and Entra ID users configured in ScoutDNS so that if SSO needs to be disabled, previously added ScoutDNS accounts can log in using the standard non-SSO login process.
  

Legacy SSO 

This is our legacy SSO setup guide for accounts using a unique login URL with a custom-assigned Enterprise Application.

Configuring SSO for Entra ID requires setting up an Enterprise Application through App Registration. This allows Microsoft Entra ID APIs to communicate with ScoutDNS and manage authenticated users. You will be able to assign Entra ID users and groups to ScoutDNS and map your Entra ID roles to ScoutDNS application roles.


Register Application 

To get started, go to your Entra ID Admin Center:

  1. Select App Registrations under the Applications tab on the left-side menu and click New Registration.

  2. Enter ScoutDNS as the application name.

  3. For Account types, choose "Accounts in any organizational directory (Any Microsoft Entra ID tenant - Multitenant)".

  4. Under Redirect URI, select Single Page Application and input https://app.scoutdns.com/login/sso/ in the field.

  5. When complete, press the Register button at the bottom.




Set Token Type

Next, you will need to set the token type. This can be found under the Authentication subtab in the Platform Configurations section of the app you just registered.



Configure API Permissions

Now you must configure the OpenID API permissions to allow ScoutDNS to check Entra ID user access settings.

  1. Navigate to API Permissions on the App Registration subtab.

  2. You will need to set the following permissions:

    • User.Read – Allows signing in and reading basic user info. (This is set by default.)

    • openid – Required for signing in.

    • profile – Allows reading the user's profile.

    • email – Allows reading the user's email address, which will be used to identify the user in our system.

  3. Since User.Read is already set by default, you only need to add the other three:

    • Select Add a Permission.

    • Choose Microsoft Graph and select the three additional options under OpenID Permissions.

    • Press the Add Permissions button at the bottom of the page.






Create and Assign Application Roles

The next step involves creating the application roles that will be mapped to ScoutDNS. You need at least one role.

  1. Navigate to the App Roles subtab and select Create App Role at the top center.

  2. We recommend naming the roles as follows, setting both the Display name and Value to the same name.

  3. You can enter a description for clarification.

  4. Enable the app role by selecting the checkbox.

ScoutDNS_Admin
ScoutDNS_Viewer



You can now assign specific users and/or groups to your application.

  1. Exit App Registration and navigate to Enterprise Applications.

  2. Select ScoutDNS.

  3. Add a user or group as needed and assign the appropriate role.





Setup ScoutDNS portal for SSO

Now we need to configure ScoutDNS for SSO.

  1. Under Access Management, select the SSO sub-tab at the top left.

  2. Ensure that Enable Connection is turned on.



Input Client and Tenant ID


You will need to input the Client ID and Tenant ID from your Entra ID App Registration page into the ScoutDNS app you registered.

  1. In Entra ID, copy the Application (client) ID and paste it into the Client ID field in the ScoutDNS portal.

  2. Next, copy the Directory (tenant) ID and paste it into the Tenant field in the ScoutDNS portal.




Map Entra ID Roles to ScoutDNS


At this point, let's set the roles as entered in Entra ID so they can be matched on the ScoutDNS side.

  1. Enter the roles for Admin, Service Desk, and Viewer as shown above.

  2. Save the settings.



You can now copy the unique login URL that Entra ID will use to access ScoutDNS.

  1. Copy your unique URL from the ScoutDNS portal.

  2. Return to the App Registration section in Entra ID.

  3. Under the ScoutDNS registration you created, navigate to Branding and Properties.

  4. Paste your unique ScoutDNS login URL into the Entra ID Home Page URL field and save.









That's it! From this point, you simply need to assign the application and make it visible to users as desired in Entra ID.

A few things to remembers:

SSO will disable all ScoutDNS platform Admin and Viewer accounts. These user types will now only be allowed to log in via Entra ID SSO.

Super Admin and Organization Operator accounts are exempt from SSO. The Super Admin account can serve as a backup in case there are issues with the Entra ID connection. Be sure to enable 2FA for added security.

Organization Operators are also exempt, as this account type is designed for external organizations, partners, or end customers. Keep in mind that Organization Operators have limited permissions for both Manager and Viewer roles.




  




    • Related Articles

    • Add System Users - Role Based Access

      ScoutDNS supports role-based access, allowing multiple operators within a single account to access the system. This article describes how to configure role-based access directly in ScoutDNS. To configure and manage role-based access from Entra ID ...
    • Organizations - Configuration and Management of Multi-Tenant Use

      ScoutDNS provides two levels of tenancy. The primary inherent level allows any operator to be a member of any number of accounts and have different roles depending on each account's settings. The second level, enabled through the Organizations tab, ...
    • Configure AD (Active Directory) Polices

      ScoutDNS supports policy enforcement by user groups synced from Active Directory. This is useful when admins want policy decisions to follow the user regardless of the device or device profile in use. This guide explains how ScoutDNS syncs with ...
    • Setup and Use Guide for MSPs

      ScoutDNS is built for Managed Service Providers (MSPs) to deliver robust DNS protection to their customers and end users. Setup is straightforward, thanks to our object-based configuration approach. Here is a brief outline of what this guide covers. ...
    • Relay - Setup and Configure

      ScoutDNS supports a Relay configuration, allowing operators to install a lightweight service within their network. The relay acts as a local forwarding resolver, processing internal queries while forwarding public queries to the ScoutDNS cloud ...