Skip to main content

Console SSO with Microsoft Entra ID (Azure AD)

Let your team sign in to the DashX console (app.dashxtech.com) with Microsoft Entra ID (formerly Azure AD) instead of DashX passwords. Console SSO uses OIDC (OpenID Connect, Authorization Code + PKCE) with just‑in‑time (JIT) provisioning — a new user is created on first sign‑in with the role you choose.

For support‑portal sign‑in (end‑users), see the separate guide: Portal SSO with Entra (SAML).

Before you start

  • An Entra admin (can create app registrations) and a DashX admin.
  • Keep both the Entra admin center and DashX open — you'll copy one value from DashX into Entra, and three back into DashX.

1. Get the Redirect URI from DashX

In DashX, go to Settings → Security & Access → SSO and copy the Redirect URI shown on the page. It looks like:

https://app.dashxtech.com/api/auth/sso/callback

2. Register an app in Entra

  1. Microsoft Entra admin centerApp registrationsNew registration.
  2. Name: DashX (anything recognizable).
  3. Supported account types: Accounts in this organizational directory only (single tenant) is typical.
  4. Redirect URI: platform Web, and paste the URI from step 1.
  5. Register.

3. Copy the IDs

On the app's Overview page, copy:

  • Application (client) ID — a GUID.
  • Directory (tenant) ID — a GUID.

4. Create a client secret

  1. Certificates & secretsNew client secret.
  2. Add a description and an expiry, then Add.
  3. Copy the secret Value immediately — it's shown only once. Note the expiry so you rotate it before it lapses.

5. (Optional) Send group claims for role restriction

To restrict sign‑in to specific Entra groups:

  1. Token configurationAdd groups claim → choose Security groups for the ID token.
  2. Note the group display names you'll allow — you'll enter them in DashX.

DashX requests the standard scopes openid profile email; no extra API permissions are needed for basic sign‑in.

6. Configure DashX

Back in Settings → Security & Access → SSO:

  1. Enable SSO.
  2. Paste Tenant ID, Application (client) ID, and Client secret.
  3. Set Allowed email domains (e.g. acme.com, acme.io) — only these may sign in.
  4. Choose the Default role for JIT‑provisioned users (Viewer / Operator / Admin — start with Viewer).
  5. (Optional) Restrict JIT to these IdP groups — the group display names from step 5.
  6. Save.

7. Test

Sign out, then choose Sign in with Microsoft on the DashX login screen. Entra shows an account picker (prompt=select_account); after you authenticate, DashX validates the token, checks your email domain, and — if you're new — provisions your account at the default role.

tip

Start with Default role = Viewer plus a group restriction. That way an accidental sign‑in can't self‑provision as Admin — you promote real users in Admin → Users.

Troubleshooting

  • Redirect URI mismatch — the URI in Entra must exactly match the one on the DashX SSO page (scheme, host, path). Copy‑paste it; don't type it.
  • "Domain not allowed" — the user's email domain isn't in Allowed email domains; add it.
  • Sign‑in works but no account is created — check the group restriction: the user must be in an allowed group and the group display name must match exactly.
  • Secret errors after a while — Entra client secrets expire; create a new one and update it in DashX.