Single sign-on (SSO) with Microsoft Entra ID

ScoutDNS supports single sign-on through Microsoft Entra ID (formerly Azure AD), using OpenID Connect (OIDC) for secure communication. Once enabled, Admin, Service Desk, and Viewer accounts authenticate through Entra; only Super Admin and Organization Operator roles continue to use local logins.

[!IMPORTANT] Enabling SSO disables local password login for existing Admin, Service Desk, and Viewer accounts. They will only be able to sign in through Entra ID from that point on. Super Admin and Org Operator accounts are unaffected and serve as your break-glass access if Entra is misconfigured.

There are two setup paths:

• Standard SSO (recommended) uses the shared ScoutDNS multi-tenant app. Quicker, no Enterprise Application registration required on your side.
• Legacy SSO uses a per-tenant App Registration in your Entra tenant. Required if you have a unique login URL or a custom-assigned Enterprise Application.

---

Standard SSO setup

Step 1: Set your Entra Tenant ID in ScoutDNS

1. In the Entra admin portal, open the Home or Overview tab and copy your Tenant ID.
2. In ScoutDNS, open Access Management (person icon, top right) → SSO subtab.
3. Acknowledge the warning about how enabling SSO affects existing admin accounts.
4. Paste your Tenant ID and click Save.
5. Toggle Enable Connection on. You can flip this off at any time to revert to local logins.

Step 2: Authorize ScoutDNS in Entra

Sign in to the ScoutDNS admin-consent URL with an Entra account that has permission to grant tenant-wide consent (typically Global Admin or Privileged Role Admin).

You’re granting ScoutDNS read access to user profiles and groups so it can verify role assignments at login.

Step 3: Assign Entra users and groups to ScoutDNS roles

1. In the Entra admin console, go to Enterprise Applications and open ScoutDNS.
2. Under Manage → Users and Groups, add users or groups and assign them a ScoutDNS role.

Available roles:

Role	Permissions
ScoutDNS_Admin	Full access to the ScoutDNS Admin Console
ScoutDNS_Service_Desk	Limited admin: support / activity-log access, no policy or billing changes
ScoutDNS_Viewer	Read-only access

Step 4: Sign in with Microsoft

Direct users to cloud.scoutdns.com and have them click Login with Microsoft.

---

Legacy SSO setup (App Registration)

Use this path if your account uses a unique login URL with a custom-assigned Enterprise Application. You’ll create your own App Registration in Entra instead of consenting to the shared ScoutDNS multi-tenant app.

Step 1: Register the application

In the Entra admin center:

1. Applications → App Registrations → New Registration.
2. Name: ScoutDNS
3. Account types: Accounts in any organizational directory (Any Microsoft Entra ID tenant, Multitenant)
4. Redirect URI: select Single Page Application and enter https://app.scoutdns.com/login/sso/
5. Click Register.

Step 2: Set the token type

In the new app, open Authentication under Platform Configurations and set the token type as shown.

Step 3: Configure API permissions

In the App Registration, open API Permissions and add the following Microsoft Graph permissions under OpenID Permissions:

Permission	Purpose
User.Read	Sign-in and basic user info (already set by default)
openid	Required for sign-in
profile	Read the user’s profile
email	Read the user’s email, used as the user identifier in ScoutDNS

1. Click Add a Permission.
2. Choose Microsoft Graph.
3. Select the three additional permissions under OpenID Permissions (openid, profile, email).
4. Click Add Permissions.

Step 4: Create and assign App Roles

You need at least one App Role to map to ScoutDNS.

1. Open the App Roles subtab → Create App Role.
2. Set both Display name and Value to the same string (this is what ScoutDNS matches on).
3. Add a description and enable the role.

Recommended role names:

ScoutDNS_Admin
ScoutDNS_Service_Desk
ScoutDNS_Viewer

Then assign users and groups to those roles:

1. Exit App Registration and open Enterprise Applications → ScoutDNS.
2. Add a user or group, and assign the appropriate App Role.

Step 5: Configure ScoutDNS for SSO

1. In ScoutDNS, open Access Management → SSO subtab.
2. Turn on Enable Connection.
3. In Entra, copy the Application (client) ID and paste it into the Client ID field in ScoutDNS.
4. Copy the Directory (tenant) ID and paste it into the Tenant ID field in ScoutDNS.

Step 6: Map Entra roles to ScoutDNS roles

Enter the role names exactly as configured in Entra into the Admin, Service Desk, and Viewer fields. Save.

Step 7: Link the ScoutDNS login URL

1. Copy your unique ScoutDNS login URL from the SSO page.
2. In Entra, open your App Registration and go to Branding and Properties.
3. Paste the ScoutDNS login URL into the Home Page URL field and save.

From here, make the application visible to users in Entra as desired and they can sign in with their Entra credentials.

---

Things to remember

[!IMPORTANT] Keep a backup path. The Super Admin account is your break-glass access, it can disable SSO if Entra ever fails or is misconfigured. Enable 2FA on the Super Admin account to protect it.

• Super Admin and Organization Operator are exempt from SSO. Org Operators are intended for external organizations, partners, or end customers and have limited permissions.
• You can keep both local and Entra-linked accounts configured in ScoutDNS at the same time. If SSO ever needs to be turned off, your previously created local accounts can still sign in via the standard flow.
• Group-based assignment scales better than per-user assignment. Create Entra security groups (e.g. IT-Admins, ServiceDesk) and assign those groups to ScoutDNS roles rather than individual users.