Set up a SAML 2.0 provider with Microsoft Entra ID

Microsoft Entra is one of the SAML 2.0 identity providers you can use to authenticate visitors to your Power Pages site. You can use any provider that conforms to the SAML 2.0 specification.

This article explains the following steps:

• Set up Microsoft Entra in Power Pages
• Create an app registration in Azure
• Enter site settings in Power Pages

Set up Microsoft Entra in Power Pages

Set Microsoft Entra as an identity provider for your site.

1. In your Power Pages site, select Security > Identity providers.

   If no identity providers appear, ensure External login is set to On in your site's general authentication settings.

2. Select + New provider.

3. Under Select login provider, select Other.

4. Under Protocol, select SAML 2.0.

5. Enter a name for the provider, such as Microsoft Entra ID.

   The provider name is the text on the button that users see when they select their identity provider on the sign-in page.

6. Select Next.

7. Under Reply URL, select Copy.

   Don't close your Power Pages browser tab. You return to it soon.

Create an app registration in Azure

Create an app registration in the Azure portal with your site's reply URL as the redirect URI.

1. Sign in to the Azure portal.

2. Search for Azure Active Directory, and then select it.

3. Under Manage, select App registrations.

4. Select New registration.

5. Enter a name.

6. Select one of the Supported account types that best matches your organization's requirements.

7. Under Redirect URI, select Web as the platform. Enter the reply URL of your site.

   • If you're using your site's default URL, paste the reply URL that you copied from set up Microsoft Entra in Power Pages.
   • If you're using a custom domain name, enter the custom URL. Be sure to use the same custom URL for the assertion service consumer URL in the settings for the identity provider on your site.

8. Select Register.

9. Select Endpoints at the top of the page.

10. Locate the Federation metadata document URL, and then select the copy icon.

11. In the left side panel, select Expose an API.

12. To the right of Application ID URI, select Add.

13. Enter your site URL as the App ID URI. If the site URL isn't accepted as a valid value, keep the default App ID URI. Copy the App ID URI value and save it for a later step.

14. Select Save.

15. In a new browser tab, paste the federation metadata document URL you copied earlier.

16. Copy the value of the entityID tag from the document.

Enter site settings in Power Pages

Go back to the Power Pages Configure identity provider page you left earlier and enter the following values. Optionally, update the additional settings as needed. Select Confirm when you're done.

• Metadata address: Paste the federation metadata document URL you copied.

• Authentication type: Paste the entityID value you copied.

• Service provider realm: Paste the App ID URI value you copied.

• Assertion service consumer URL: If your site uses a custom domain name, enter the custom URL. Otherwise, leave the default value, which is your site's reply URL. Make sure the value matches the redirect URI of the application you created.

Additional settings in Power Pages

The additional settings let you control how users authenticate with your SAML 2.0 identity provider. You don't need to set these values. They're optional.

• Validate audience: Turn on this setting to validate the audience during token validation.

• Valid audiences: Enter a comma-separated list of audience URLs.

• Contact mapping with email: This setting specifies whether contacts are mapped to a corresponding email address when they sign in.

  • On: Associates a unique contact record with a matching email address and automatically assigns the external identity provider to the contact after the user successfully signs in.
  • Off

See also

Set up a SAML 2.0 provider
Set up a SAML 2.0 provider with AD FS
SAML 2.0 FAQs