# Entra ID SSO

Cortex supports configuring Single Sign-On (SSO) with Microsoft Entra ID (formerly known as Azure Active Directory) with OpenID Connect for protecting access to your Cortex workspace.

Cortex also supports an integration to track Entra ID teams and team members as entity owners as well as create Scorecards involving your Entra ID teams. See the [Entra ID integration page](/ingesting-data-into-cortex/integrations/entraid.md) for more information.

## Configuring Entra ID SSO for Cortex

Users who have the `Configure OpenID Connector & SCIM` permission can configure Entra ID SSO for Cortex.

### Step 1: Setting up a new Entra ID application

1. Log in to the Microsoft Entra Admin Center at [https://entra.microsoft.com](https://entra.microsoft.com/).
2. From the left menu, select **Overview**.
3. Click **Add**, then select **App registration**.
4. In the **Name** field, enter a descriptive name for the application, e.g. `Cortex login`.
5. From the **Supported account types** drop-down menu, select **Single tenant only** / **Accounts in this organizational directory only.** Selecting this option means the SSO will only work for the given Entra ID instance—not for other organizations.
6. From the **Redirect URI (optional)** drop-down menu, select **Web**.
7. In the **Authorized redirect URI** field, enter `https://cortexapp.auth0.com/login/callback` .
8. Click **Register**.\
   The app's overview page is displayed.
9. Copy the **Application (client) ID** value and store it in a secure location, as you will need this in the next steps.

{% hint style="info" %}
Refer to the Microsoft [quickstart guide](https://docs.microsoft.com/en-us/azure/active-directory/develop/quickstart-register-app#register-an-application) for more detailed instructions on setting up an Entra ID app.
{% endhint %}

### Step 2: Creating a client secret in Entra ID

1. Log in to the Microsoft Entra Admin Center at [https://entra.microsoft.com](https://entra.microsoft.com/).
2. From the left menu, select **App registrations**.
3. Select the **All applications** tab, then select your app.
4. Click **Add a certificate or secret.**
5. Select the **Client secrets** tab.
6. Click **New client secret**.
7. In the **Description** field, enter a description for the secret.
8. From the **Expires** drop-down menu, select an expiration.\
   SSO stops working when the secret expires. Set an expiration that makes sense for your process. If you regularly rotate secrets, a shorter expiration period might make more sense. If you don't, a longer duration ensures that SSO continues to function without interruption.
9. Click **Add**.
10. Copy the value of the secret and store it in a secure location, as you will need this in the next steps.

### Step 3: Obtaining the metadata document endpoint in Entra ID

1. Log in to the Microsoft Entra Admin Center at [https://entra.microsoft.com](https://entra.microsoft.com/).
2. From the left menu, select **App registrations**.
3. Select the **All applications** tab, then select your app.
4. Select the **Endpoints** tab.
5. Copy the **OpenID Connect metadata document** up to `/v2.0` . It should be in the format `https://login.microsoftonline.com/<uuid>/v2.0`.

### Step 4: Configuring SSO in Cortex

1. Log in to Cortex.
2. From the main sidebar, click your avatar in the bottom-left corner.
3. Click **Settings**.
4. From the **Settings** menu, scroll to the **Security and access** section, then select **OpenID connector**.
5. Configure the form:
   * From the **Type** drop-down men&#x75;**,** select **Azure**.
   * Below **Identifier**, **e**nter your client ID.
   * Below **Secret**, enter your client secret.
   * Below **Issuer**, enter the issuer URI.
     * Do **not** include a backslash after `v2.0` in the issuer URI! This will process as an invalid configuration for the URI.
6. Click **Save**.

Once saved, users will only be able to sign in to Cortex using their Entra ID account.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.cortex.io/configure/settings/managing-users/configuring-sso/entraid.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.