Microsoft Entra Single-Sign-On (formerly Azure)

Configure SchoolFi for Single-Sign-On with Microsoft Entra (formerly Azure)

Before you begin, it is recommended you set up a notepad (or other text editor) document.  You will need to copy and paste several values from the Entra Admin center to then be used later in your SchoolFi configuration.

Configure the Entra App Registration

1. Open the Microsoft Entry admin center and navigate to Applications in the navigation bar.
   
   This link should take you directly to this page:
   https://entra.microsoft.com/#view/Microsoft_AAD_RegisteredApps/ApplicationsListBlade

        2. Click the New Registration button at the top.

        3. On the Register an application page, complete the following:

                a. Name (a friendly name for the application, e.g., “SchoolFi”).

                b. Select a supported account type (likely single-tenant for most configurations).

Then click the Register button at the bottom. (You can skip the "Redirect URI" option for now).

4. If the application was registered, you should see a confirmation message appear at the top right of the screen. If it does not redirect you directly to the new app registration page, follow these steps to access your new registration.

5. Next, find your application to continue configuring it. Navigate again to Applications. (You can skip this and move onto step 6 if you are automatically directed to your new app.)

        a. Click All applications above the search box.

        b. Search for the name of your newly created application in the search box and press enter to locate it.

        c. Click on the App registration’s name in the search results to edit it.  Your app registration page should open. 

6. There are two important values you need to obtain from the main app registration (overview) page. You will need to record (copy) the “Application (client) ID” and “Directory (tenant) ID” values from this screen. (highlighted in the screenshot above) These will be used later to configure the SchoolFi side of the authentication.

Recommended: copy/paste into notepad or another text editor to avoid any weird characters from here.  These values are critical to the configuration.

Configure Certificates & secrets

1. In the left navigation of the app registration, choose Certificates & secrets.  Click the + New client secret button.

        2. Enter a description (e.g., “SchoolFi”).

    3. Choose an expiration date or use the recommended 180 days.

***Important Note: Client IDs on the Azure side are set to a default value expiration date of 6 Months. Please be aware or increase the default value to not lock out your users in 6 Months from creation of Client ID.***

    4. Click the Add button.

    5. You should now see your Client secret value and Secret ID on the “certificates and secrets page”.

    6. Copy the Value from this secret – this will be needed for the SchoolFi side of the configuration.

Important Note: Client IDs on the Azure side are set to a default value expiration date of 6 Months. Please be aware or increase the default value to not lock out your users in 6 Months from creation of Client ID.

Configure the SSO Provider in SchoolFi

1. Navigate to: System -> Security ->Single Sign-On/MFA
2. Click Add Provider and enter:
3. Code (e.g., “ENTRA”)
4. Provider: “Microsoft Entra ID (Azure AD)”
5. Description (e.g., “Microsoft Entra ID”)
6. Client Id: ["Application (client) ID" from Screenshot #2]
7. Client Secret: ["Secret" Value highlighted in Screenshot #5]
8. Tenant Id: ["Directory (tenant) ID" from Screenshot #2]
9. Click Add once everything is filled in.

1. You should now be automatically redirected to the SSO provider modify screen. Click the “Lookup OAuth fields from Discovery Document” button at the bottom left. This will populate several values in the OIDC Single Sign On Vendor End Points table.
2. On the right side of the modify screen, click the “Refresh Public Key” button.  This will populate several public keys in that table.
3. On the left side of the modify page, you will find the “Redirect URL for Employee Portal” and “Redirect URL for SchoolFi” values. Paste those to your notepad document. These will be used shortly to complete the Entra configuration.
4. You can now check off either the “Enabled for” Employee Portal or SchoolFi at the top (where appropriate) and there is also an option to show a "Sign in with Entra" button on the logon screen. Click "Save" once you have completed this setup.

Complete Entra ID Configuration

1. Configure Authentication
2. In the left navigation of the app registration, choose Authentication.
3. On the Authentication page, click the + Add a Platform button
4. On the “Configure platforms” box that appears, choose “Web".

1. Add the Redirect URI for Staff first.
2. This is a value you copied from SchoolFi in Step C above (Screenshot #7, red box).
3. Paste this value into the Redirect URI in the app registration in Entra.
4. Then click the Configure button.

1. You should now see your Web Redirect URI in the platform configuration section of the Authentication tab.
2. Repeat this step to add the Portal redirect URI from Step C above (Screenshot #7, red box) 
3. You should now have an entry for both SchoolFi and Empoloyee Portal.

Grant Admin Consent

1. In the left navigation of the app registration, choose API Permissions.
2. On the API permissions page, click the “Grant admin consent for [your organization]” button under Configured permissions.
3. Click Yes to confirm.

You should now have completed the SSO connection between SchoolFi and Microsoft Entra.

***Important Note: Client IDs on the Azure side are set to a default value expiration date of 6 Months. Please be aware or increase the default value to not lock out your users in 6 Months from creation of Client ID.***