Microsoft Entra Single-Sign-On (formerly Azure)

Important Note: Client IDs on the Azure side are set to a default value expiration date of 6 Months. Please be aware or increase the default value to not lock out your users in 6 Months from creation of Client ID.

Configure SchoolFi for Single-Sign-On with Microsoft Entra (formerly Azure)

1. Before you begin, it is recommended you set up a notepad (or other text editor) document.  You will need to copy and paste several values from the Entra Admin center to then be used later in your SchoolFi configuration.

Configure the Entra App Registration

1. Open the Microsoft Entry admin center and navigate to Applications à App registrations in the navigation bar.
   
   This link should take you directly to this page:
   https://entra.microsoft.com/#view/Microsoft_AAD_RegisteredApps/ApplicationsListBlade

1. Click the New Registration button at the top.

1. On the Register an application page, complete the following:

1. Name (a friendly name for the application, e.g., “SchoolFi”)
2. Select a supported account type (likely single-tenant for most configurations)

Then click the Register button at the bottom. 

1. If the application was registered, you should see a confirmation message appear at the top right of the screen.  If it does not redirect you directly to the new app registration page, follow these steps to access your new registration.

1. Next, find your application to continue configuring it. Navigate again to Applications à App registrations.

1. Click All applications above the search box.

1. Search for the name of your newly created application in the search box and press enter to locate it.

1. Click on the App registration’s name in the search results to edit it.  Your app registration page should open. 

1. There are two important values you need to obtain from the main app registration (overview) page. You will need to record (copy) the “Application (client) ID” and “Directory (tenant) ID” values from this screen. (highlighted in the screenshot below) These will be used later to configure the SchoolFi side of the authentication.
   
   Recommended: copy/paste into notepad or another text editor to avoid any weird characters from here.  These values are critical to the configuration.

1. Configure Certificates & secrets
   1. In the left navigation of the app registration, choose Certificates & secrets.  Click the + New client secret button.

1. Enter a description (e.g., “SchoolFi”)

1. Choose an expiration date or use the recommended 180 days.
2. Click the Add button.
3. You should now see your Client secret value and Secret ID on the “certificates and secrets page.”

1. Copy the Value from this secret – this will be needed for the SchoolFi side of the configuration.

Configure the SSO Provider in SchoolFi

1. Navigate to: System à Security à Single Sign-On/MFA

1. Click Add Provider and enter:

1. Code (e.g., “ENTRA”)
2. Provider: “Microsoft Entra ID (Azure AD)”
3. Description (e.g., “Microsoft Entra ID”)
4. Client Id: [Copied from Step 6 above]
5. Client Secret: [Copied from Step 7.f above]
6. Tenant Id: [Copied from Step 6 above]

1. Now that your SSO provider is configured, on its Modify screen, click the “Lookup OAuth fields from Discovery Document” button and the bottom left.
2. This will populate several values in the OIDC Single Sign On Vendor End Points table.
3. On the right side of the modify screen, click the “Refresh Public Key” button.  This will populate several public keys in that table.
4. On the left side of the modify page, copy the “Redirect URL for Employee Portal” and “Redirect URL for SchoolFi” values and paste to your notepad document.  These will be used shortly to complete the Entra configuration.
5. Check either the “Enabled for” Employee Portal or SchoolFi checkboxes at the top (as appropriate) and then click Save.

Complete Entra ID Configuration

1. Configure Authentication

1. In the left navigation of the app registration, choose Authentication.

1. On the Authentication page, click the + Add a Platform button.

1. On the “Configure platforms” box that appears, choose “Web.”
   1. Add the Redirect URI.
      1. This is a value you copied from SchoolFi in Step 13.
      2. Paste this value into the Redirect URI in the app registration in Entra.
2. Then click the Configure button.
3. You should now see your Web Redirect URI in the platform configuration section of the Authentication tab.
4. Repeat these steps to add BOTH redirect URLs from Step 13 (both for the Portal and for SchoolFi).

1. Grant Admin Consent

1. In the left navigation of the app registration, choose API Permissions.

1. On the API permissions page, click the “Grant admin consent for [your organization]” button under Configured permissions.

1. You will be asked to confirm.  Click Yes.