Microsoft Entra ID Enterprise App

Use the Microsoft Entra ID Enterprise App to integrate Microsoft Entra ID with STACKIT IdP. This is the recommended path for most Microsoft Entra ID customers because it reduces manual setup compared with custom integrations.

The Microsoft Entra ID Enterprise App is currently in preview on Azure side for selected customers. If you are interested in using it directly and give feedback, STACKIT has to request it for you by providing your Entra ID tenant ID to Microsoft. If you want to use it but it’s not yet available for your tenant, please reach out to STACKIT.

When to use this option

Use this option if:

• You use Microsoft Entra ID and want the simplest setup path.
• You want to steer customers to a standard integration path.
• The STACKIT Enterprise App is available to your tenant in Azure App Gallery.

Before you start

Before you begin, make sure that you have:

• An active STACKIT customer account.
• Administrative access to your Microsoft Entra ID tenant.
• Decided whether you need federation (SAML), provisioning (SCIM), or both.

Choose your setup path

The Enterprise App supports three configurations:

• Recommended: SAML + SCIM. Complete Common setup, then Configure federation (SAML), then Configure provisioning (SCIM) in that order.
• SAML only. Complete Common setup and Configure federation (SAML), then stop.
• SCIM only. Complete Common setup and Configure provisioning (SCIM), skipping the federation section.

For all paths, start with the common setup below.

Prerequisite:

• Add the STACKIT Enterprise App from Azure App Gallery.

Configure federation (SAML)

Complete this section if you want to use Microsoft Entra ID for sign-in. Required for the SAML + SCIM and SAML only paths.

1. Go to Single sign-on and select the SAML option.

2. Click Edit inside Basic SAML Configuration and enter a temporary placeholder URL in the Identifier (Entity ID) field. This enables downloading the SAML metadata with the final certificates. Use any URL matching the pattern https://accounts.stackit.cloud/idps/*, for example https://accounts.stackit.cloud/idps/dummy. Include the Sign on URL if your tenant requires it, leave the Reply URL as https://portal.stackit.cloud, and click Save.

3. Copy the value of the App Federation Metadata Url field. STACKIT uses this URL to retrieve the information needed to configure the federation.

4. Open a support ticket with the following information:

   • Federation type: Microsoft Entra ID Enterprise App
   • Metadata URL: The URL you copied in step 3
   • Email domains: All primary and secondary email domains your employees use with Entra ID, for example @example.org and @foobar.com

   If you also plan to enable SCIM provisioning, request the SCIM Client ID and Client Secret in the same ticket.

5. Once you receive the STACKIT metadata URL, download the metadata file and upload it in Entra ID by clicking Upload metadata file and selecting your file.

6. Confirm to STACKIT Support that you have uploaded the metadata file. STACKIT will then enable the federation for your domain, which enforces that all users with email addresses in the configured domains authenticate using Microsoft Entra ID.

SAML requires that you register the STACKIT IdP metadata in your Microsoft Entra ID configuration before STACKIT enables the federation on its side. STACKIT can provide a temporary domain redirection so you can test the federation before enabling it for your final domains.

If you only need federation, you can stop here.

Configure provisioning (SCIM)

Complete this section if you want Microsoft Entra ID to provision users and groups automatically. Required for the SAML + SCIM and SCIM only paths.

You will need a Client ID and Client Secret from STACKIT Support. If you already opened a support ticket during SAML setup (step 4), request these credentials in the same ticket. For SCIM-only setups, open a dedicated support ticket to request provisioning credentials.

1. Go to Provisioning.

2. Click Connect your Application.

3. Enter the following values and click Test Connection. If the test passes, click Save.

   • Tenant URL: https://accounts.stackit.cloud/scim/v2
   • OAuth token endpoint: https://accounts.stackit.cloud/oauth/v2/token
   • Client identifier: Client ID provided by STACKIT Support
   • Client secret: Client secret provided by STACKIT Support

4. Click Start provisioning to enable automatic synchronization. Microsoft Entra ID will keep users and groups in STACKIT IdP up to date from this point on.

What happens next

After the relevant sections are configured, your users can log in to STACKIT services using their Microsoft Entra ID credentials.

You can control which users and groups are synchronized to STACKIT IdP by using Microsoft Entra ID’s group-based assignment features. Assign only the users or groups that should access STACKIT to the Enterprise App to limit the provisioning and login scope.

Alternative Microsoft Entra ID options

Use these guides only if you can’t use the Enterprise App or have requirements it doesn’t cover:

• Microsoft Entra ID custom OIDC federation guide: use this if you need a custom application registration or want to use OIDC instead of SAML.
• Microsoft Entra ID custom SCIM provisioning guide: use this if you need a custom provisioning setup instead of the Enterprise App flow.

The Enterprise App is the recommended path for most Microsoft Entra ID customers. Use the custom guides only if you need capabilities that the Enterprise App doesn’t cover or if it isn’t yet available for your tenant.