> ## Documentation Index > Fetch the complete documentation index at: https://wundergraphinc-brendan-add-sof-link.mintlify.site/llms.txt > Use this file to discover all available pages before exploring further. # Microsoft Entra > Setting up SSO with Microsoft Entra ### Steps to set Entra as an OIDC identity provider:- Log in to Microsoft Entra and navigate to the **Identity/Applications/Enterprise applications** view within Microsoft Entra. Microsoft Entra admin center with Enterprise Applications and New Application button

Microsoft Entra admin center with Enterprise Applications and New Application button

Click on **New application.** Once navigated to a new page, click on **Create your own application**. Microsoft Entra admin center showing Create Your Own Application option

Microsoft Entra admin center showing Create Your Own Application option

Provide a name to the application and select "**Register an application to integrate with Microsoft Entra ID (App you're developing)**" for the application purpose, then click on the **Create** button. Select who can use the application from the given options according to your needs and then click on **Register.** Now navigate to **Identity/Applications/App registrations.** In the **All applications tab,** select the application which we created. Microsoft Entra admin center listing registered apps “test” and “test2”

Microsoft Entra admin center listing registered apps “test” and “test2”

Copy the Application(Client) ID, then click on **Endpoints** and then copy the **OpenID Connect metadata document**(Discovery Endpoint). Endpoints section in Microsoft Entra highlighting OpenID Connect metadata document

Endpoints section in Microsoft Entra highlighting OpenID Connect metadata document

Navigate to **Certificates and Secrets.** Click on **New client secret,** give it a description and select the expiry according to your needs and then click on **Add**. Copy the **value(client secret)** and store it, as it won't be shown again. Microsoft Entra Certificates & secrets showing new client secret created on March 14, 2024

Microsoft Entra Certificates & secrets showing new client secret created on March 14, 2024

Navigate to the settings page on Cosmo. Organization settings showing name, slug, and status of AI, RBAC, and SCIM features

Give the connection a name, paste the **OpenID Connect metadata document** copied before, into the **Discovery Endpoint,** paste the **Client ID** and **Client secret** copied before into the **Client ID** and **Client Secret fields respectively,** and then click on **Connect.** Connecting OpenID Connect provider for specific organization in Cosmo Docs

Connecting OpenID Connect provider for specific organization in Cosmo Docs

Configure the mapping between the roles in Cosmo and the groups in Microsoft Entra. The field **Group in the provider** should be populated with the **Object ID of a group from Entra.** Once all the mappers are configured, click on **Save**. Every member in those groups would get the respective role configured. Group mapper configuration showing Cosmo role and provider group fields

Group mapper configuration showing Cosmo role and provider group fields

Microsoft Entra admin center showing two groups with object IDs listed

Copy the sign-in and sign-out redirect URIs displayed in the dialog. Steps to configure OIDC provider with sign-in and sign-out redirect URLs

Navigate back to the **App registrations** page, in the **All applications** tab select the app which we created. Click on **Add a redirect URI, and** now click on **Add a platform,** select **Web** and then paste the Sign-in and Sign-out redirect URIs in the **Redirect URIs** and **Front-channel logout URL **respectively**.** Azure AD registration page highlighting Add Redirect URI button

Azure AD registration page highlighting Add Redirect URI button

Select **ID tokens** and then click on **Configure.** Now navigate to **Token configuration**, and click on **Add groups claim.** Select **Security groups,** expand **ID,** select **Group ID** and click on **Add.** Microsoft Entra Token configuration showing Security groups claim with Group ID option

Microsoft Entra Token configuration showing Security groups claim with Group ID option

Navigate to **API Permissions**, and click on **Add a permission.** Microsoft Entra API permissions section for adding Microsoft Graph API access

Click on **Microsoft Graph,** and then on **Delegated permissions,** select **email, openid and profile** and then click on **Add permissions.** Now you can assign users/groups to the application, and only those users will be able to log into Cosmo using the URL provided on setting up the provider. Microsoft Entra Users and groups section showing Add user/group button

Microsoft Entra Users and groups section showing Add user/group button

Please make sure that the users added to the application have an email. Steps to add a user: Navigate to Users/All users, click on New User and then click on Create a new user. Microsoft Entra Users section highlighting Create new user option

Microsoft Entra Users section highlighting Create new user option

Provide the user principal name, the display name and then click on **Next**. Create new user dialog in Microsoft Entra with principal name and display fields

Create new user dialog in Microsoft Entra with principal name and display fields

Provide the first name(optional) and the last name(optional). Provide the email of the user(**Required**). Microsoft Entra Identity section for new user creation with name and email fields

Microsoft Entra Identity section for new user creation with name and email fields

Then click on **Next** and assign the user to the groups according to your needs.