# Entra ID (Azure AD) SSO

Cortex supports configuring Single Sign-On (SSO) with Microsoft Entra ID [(formerly known as Azure Active Directory)](https://azure.microsoft.com/en-us/updates/azure-ad-is-becoming-microsoft-entra-id/) with OpenID Connect for protecting access to your Cortex workspace.

Cortex also supports an integration to track Entra ID teams and team members as entity owners as well as create Scorecards involving your Entra ID teams. See the [Entra ID (Azure AD) integration page](https://docs.cortex.io/ingesting-data-into-cortex/integrations/entraid) for more information.

## How to configure Entra ID SSO for Cortex

You must have the `Configure OpenID Connector & SCIM` permission.

### Step 1: Set up a new Entra ID application in Azure

1. From the Entra ID overview page in your Azure portal, click **Add > App registration**.
2. Enter a descriptive name for the application, such as "Cortex login." .
3. Under "Supported account types," select **Accounts in this organizational directory only.**
   1. Selecting this option means the SSO will only work for the given Entra instance and not for other organizations.
4. Under "Redirect URI (optional)," select **Web** from the dropdown menu.
5. In the **Authorized redirect URI** field, enter `https://cortexapp.auth0.com/login/callback` .
6. Click **Register** to save the app. You will be redirected to the app's overview page.
7. Copy the **Application (client) ID** value and store it in a secure location, as you will need this in the next steps.

You can find more detailed instructions on registering an app with the Microsoft identity platform in its [quickstart guide](https://docs.microsoft.com/en-us/azure/active-directory/develop/quickstart-register-app#register-an-application).

### Step 2: Create a client secret in Azure

1. From the app's Overview page in Azure, click **Add a certificate or secret** then go to the **Client secrets** tab.
2. Click **New client secret**. Enter a description and expiration.
   * The SSO will stop working when the secret expires, so set an expiration that makes sense for your process. If you regularly rotate secrets, a shorter expiration period might make more sense. If you do not, a longer duration will ensure that SSO continues to function without frequent interruption.
3. Click **Save**.
4. Copy the value of the secret and store it in a secure location, as you will need this in the next steps.

### Step 3: Obtain the metadata document endpoint in Azure

1. Go to the Overview page in Azure and click the **Endpoints** tab.
2. Copy the **OpenID Connect metadata document** up to `/v2.0`.
   * It should be in the format `https://login.microsoftonline.com/<uuid>/v2.0`.

### Step 4: Configure SSO in Cortex

1. In your Cortex workspace, navigate to [**Settings > OpenID Connector**](https://app.getcortexapp.com/admin/settings/oidc).
2. Configure the form:
   * **Type**: Select `Azure`.
   * **Identifier:** Enter the application (client) ID from Step 1.
   * **Secret:** Enter the client secret created in Step 2.
   * **Issuer:** Enter the issuer URI from Step 3.
     * Do **not** include a backslash after `v2.0` in the issuer URI. This will process as an invalid configuration for the URI.
3. At the bottom of the page, click **Save**.

After saving your configuration, users will only have the option to sign in to your Cortex workspace via Microsoft Entra ID.