SSO Setup for Microsoft Entra / Azure AD

This article provides instructions on configuring GAS SSO with Microsoft Entra / Azure AD. The instructions are broken down into three main steps:

1. Create a new app registration for Grand Avenue in Entra / Azure AD

2. Configure the necessary settings for the Grand Avenue registration in Entra / Azure AD

3. Enable and configure SSO in Grand Avenue

After enabling SSO in Grand Avenue, you can use the Administrative Update of Authentication Information for User to update the authentication method for multiple users at once. This update is available from Manage Users → Administrative Update of Authentication Information for Users.

 Instructions

1. First register your Grand Avenue instance in Entra / Azure AD and authorize it for the operations it needs for SSO.

   1. Under App registrations select the New registration option

      Open

      

       

   2. Complete the fields to register Grand Avenue

      Open

      

       

      The redirect URI for a Grand Avenue instance can be found at Configure Authentication Management → Configure Single Sign On

      
      You should register the Redirect URIs for all Grand Avenue instances with users that will need to authenticate against your SSO provider. For hosted Grand Avenue customers, this will include each of your sites:

      1. Production - https://<customername>/GrandAvenue/Authentication/authorization-code/callback

      2. Training - https://<customername>/Training/Authentication/authorization-code/callback

      3. Upgrade - https://<customername>/Upgrade/Authentication/authorization-code/callback

      4. Evaluation - https://eval.grandavenue.com/<customername>/Authentication/authorization-code/callback

2. Configure the necessary settings for the Grand Avenue registration in Azure AD

   1. Under Authentication endure both “Access tokens” and “ID tokens” are selected.

       

   2. Under Token Configuration, select Add optional claim and add the following:

       

      When prompted, check the box to “Turn on the Microsoft Graph email permission” and click Add

       

   3. Under API permissions, select Add a permission and set up as identified below:

   4. Under API permissions select Grant admin consent for Grand Avenue Software and select “Yes” to confirm

       

3. Add information to Grand Avenue. Navigate to the “Configure Single Sign On” via Configure Authentication Management → Configure Single Sign On

   1. Change the Single Sign On Enabled? dropdown to “Yes”

   2. Complete the required fields and click Save.

      1. The Provider Name entered here will be displayed to users on the Sign In page as "Sign in with <provider name>" (e.g., "Sign in with Microsoft Entra" or "Sign in with Azure AD")

      2. The other fields must be populated with information from the Grand Avenue registration you created above.