# Azure AD 

> Integrate Applivery with Azure AD via SAML for Single Sign-On — configure Microsoft Entra ID as your Identity Provider.

Source: https://docs.applivery.com/en/platform/authentication/sso/azure-ad/  •  Last updated: 2026-04-01

**Key topics:** Azure AD, SAML, Single Sign-On, Applivery Integration, Azure Security Groups, Applivery, Microsoft Entra ID, Microsoft 365

---

**TL;DR:** Integrate Applivery with Azure AD for Single Sign-On (SSO) using SAML by exchanging metadata and configuring user group mappings.

:::warning
This is a premium feature that may not be available on your current plan. Check availability on the [Applivery pricing page](https://www.applivery.com/pricing/).
:::

Once set up, your organization members can log in to the Applivery Dashboard, App Store, or MDM Portal using their Microsoft 365 credentials — no separate Applivery password needed.

The flow goes in two directions: first, you export the Service Provider metadata from Applivery and import it into Entra ID, then you export the Identity Provider metadata from Entra ID and import it back into Applivery. Azure Security Group mapping — which has a unique quirk compared to other IdPs — is covered at the end.

:::info
If you plan to use a custom domain for your App Store or MDM Portal, configure it in Applivery **before** starting this guide. Custom domains change the callback URLs embedded in the SAML metadata, so the order matters.
:::

* * *

## Prerequisites

You'll need administrator access to your Applivery Workspace, and Global Administrator or Application Administrator access to the [Microsoft Entra admin center](https://entra.microsoft.com/). If you are using a custom domain, make sure it is configured first in Applivery under the Settings section, then navigate to Store Customization from the left-hand menu.

* * *

## Setup

**Get the Service Provider metadata from Applivery**

Once in the [**Applivery Dashboard**](https://dashboard.applivery.io/), go to your **Workspace Settings** from the top dropdown menu, then open Login providers in the left-hand menu. Find the **SAML** row and click **Configure** for the portal you want to protect — **Dashboard**, **App Store**, or **MDM Portal**. Each portal is configured independently.

On the SAML configuration screen, you have two options depending on your Entra ID setup:

**Upload metadata file (recommended)**

Click **Download Metadata** to get the **SAML Metadata XML** file. This is the fastest option — uploading it to Entra ID will fill in all required fields automatically.

**Manual configuration**

If your Entra ID tenant doesn't support metadata upload, use the individual values shown on screen:

| Field | Description |
| --- | --- |
| **Identifier (Entity ID)** | The unique identifier for Applivery as a Service Provider. |
| **Reply URL (ACS URL)** | Where Entra ID will POST the SAML response after authentication. |
| **Callback URL** | The URL users land on after a successful login. |

**Create an Enterprise Application in Entra ID**

In the [Azure Portal](https://portal.azure.com/), go to **Microsoft Entra ID → Enterprise applications** and click **\+ New application**.

![microsoft entra id](https://docs.applivery.com/int/_r2/media/09ac0a4e-3ad8-478f-9f15-3474973eec71/5f8e775e-a1c1-4d91-a9f9-341dbc9fd2fe.png)

Select **Create your own application**, give it a name (e.g. `Applivery`), choose **Integrate any other application you don't find in the gallery (Non-gallery)**, and click **Create**.

![create your own app](https://docs.applivery.com/int/_r2/media/09ac0a4e-3ad8-478f-9f15-3474973eec71/5d29afbf-0d9c-4b94-86d4-732460a05f72.png)

**Configure SAML SSO in Entra ID**

Inside the application, go to **Setup Single Sign-On** from the left menu and select **SAML**. At the top of the configuration page, click **Upload metadata file** and select the XML file you downloaded from Applivery — the required fields will populate automatically.

![upload metadata file](https://docs.applivery.com/int/_r2/media/09ac0a4e-3ad8-478f-9f15-3474973eec71/60f0eafe-5aed-460d-b12c-310cd09120ae.png)

If you're configuring manually, fill in **Section 1 – Basic SAML Configuration** with the Identifier, Reply URL, and Sign on URL values from Applivery, then click **Save**.

**Assign users or groups**

Before anyone can log in via SSO, they need to be assigned to the application in Entra ID. Go to **Users and groups** in the left menu, click **\+ Add user/group**, select the users or groups who should have access to Applivery, and click **Assign**.

**Download the Identity Provider metadata from Entra ID**

Go back to **Single Sign-On** in your application. In **Section 3 – SAML Certificates**, click the **Download** link next to **Federation Metadata XML** and save the file — you'll upload it to Applivery in the next step.

![saml certificates](https://docs.applivery.com/int/_r2/media/09ac0a4e-3ad8-478f-9f15-3474973eec71/1ebb5e6a-59a4-4793-b904-9bf575eedc49.png)

**Complete the configuration in Applivery**

Go back to the Applivery SAML configuration screen for the same portal you started with in Step 1. Upload the **Federation Metadata XML** file from Entra ID, click **Save changes**, then use the toggle switch to **enable** the integration.

**Test the integration**

With everything saved and enabled, test with an assigned user. For the Dashboard, go to [https://dashboard.applivery.io/welcome/sso](https://dashboard.applivery.io/welcome/sso), enter the user's email, and you'll be redirected to Microsoft for authentication. For the App Store or MDM Portal, just navigate to the portal URL — the SSO redirect will happen automatically.

* * *

## Azure Security Group mapping

Unlike most Identity Providers, **Azure Entra ID does not send group display names in SAML assertions — it sends Object IDs (GUIDs)**. This means that without additional configuration, the groups Applivery receive look like `89f3b2c1-4a7e-4d91-...` rather than `engineering` or `qa-team`.

To make groups usable for Publication filters and role mapping, you need to do two things: enable group claims in Entra ID so the assertion includes them, and then map the Object IDs to friendly names in Applivery.

### Enable group claims in Entra ID

In your Enterprise Application, go to **Single Sign-On and** edit the **Attributes & Claims configuration**. Then click the **\+ Add a group claim button** and select **Security groups** (or **All groups** if needed), set the **Source attribute** to `Group ID`, and make sure the claim schema is:

```
http://schemas.microsoft.com/ws/2008/06/identity/claims/groups
```

![user attributes and claims](https://docs.applivery.com/int/_r2/media/09ac0a4e-3ad8-478f-9f15-3474973eec71/82fccbeb-c237-4493-88db-55b763810b52.png)

Save your changes. Entra ID will now include Security Group Object IDs in every SAML assertion.

### Map Object IDs to group names in Applivery

In the Applivery Dashboard, go to your **SAML** configuration. For each Azure Security Group, add a mapping entry with the group's **Object ID** as the key and the desired Applivery group name as the value.

![group translation](https://docs.applivery.com/int/_r2/media/09ac0a4e-3ad8-478f-9f15-3474973eec71/62681408-4af1-47c4-99b8-9a22055247eb.png)

You can find Object IDs under **Microsoft Entra ID → Groups** — open each group and copy the **Object ID** field.

![](https://docs.applivery.com/int/_r2/media/09ac0a4e-3ad8-478f-9f15-3474973eec71/73db51a7-2a6f-4c92-a027-36fde2146ea6.png)
:::tip
You don't need to pre-configure all groups before going live. Applivery automatically detects new Object IDs as users authenticate and adds them to the mapping list as placeholders. You can assign friendly names at any time after the integration is active.
:::

* * *

## Role mapping from Azure groups

If you're configuring the Dashboard portal and want Azure Security Groups to automatically assign Applivery Collaborator roles to new users, you need to send group **display names** instead of Object IDs — so Applivery can match them directly to the reserved role group names (`applivery-admin`, `applivery-editor`, etc.).

In the **User Attributes & Claims** section of your Entra ID application, edit the group's claim and set the **Source attribute** to **Cloud-only group display names** instead of `Group ID`. With this in place, Applivery can assign roles on first login without needing any Object ID → name mapping.

![group claims](https://docs.applivery.com/int/_r2/media/09ac0a4e-3ad8-478f-9f15-3474973eec71/cdda8163-d252-4bea-b8da-23a25d19ba3d.webp)
:::note
Role mapping only applies to **App Distribution**. Device Management permissions are governed exclusively by [Segment permissions](https://docs.applivery.com/en/device-management/general-settings/segments/#segment-based-role-delegation).
:::
