Login
        Contents x
        Set Up SSO with Microsoft Entra ID
        • 25 Jul 2025
        • 3 Minutes to read
        • PDF
        Contents

        Set Up SSO with Microsoft Entra ID

        • Updated on 25 Jul 2025
        • 3 Minutes to read
        • PDF
        Article summary

        Enhance your organization's security and streamline user access by enabling single sign-on (SSO) with Microsoft Entra ID. This article will walk you through the complete setup process, where you’ll configure settings in both Entra ID and Red Canary. If you have questions or are new to SSO,  see our Overview of Single Sign-On.

        1 Red Canary | Configure SSO Settings

        1. Navigate to Red Canary, then click your user profile in the top right corner.

        2. Click Single Sign-On.

        3. Enable the following settings:

          • This SSO configuration should be active
            This setting activates the SSO setup, after you complete the configuration and click Save at the bottom.

          • Automatically create a Red Canary user the first time a user is authenticated
            This setting automatically provisions a Red Canary account when a new user logs in with SSO. As an optional configuration, you can assign default roles to new users. Select one of the following roles to apply automatically:

            • Admin

            • Workflow User

            • Analyst

            • Analyst Viewer

            • Applications Manager

            • EDR User

            • Responder

            For a full description of each role's permissions, see Understand and Assign Roles.

            To reset a user's permissions to the selected default every time they sign in, check the Grant these roles on EVERY sign in box. This will override any manual role changes made previously. This is useful for enforcing a "least privilege" baseline, where you can manually grant temporary high-level access that will be automatically revoked on the next login.

        You’ll finish configuring these settings in a later step.

        2 Microsoft Entra ID | Create a Red Canary App

        1. Log in to your Microsoft Entra ID admin center.

        2. Go to Entra ID > Enterprise apps.

        3. Click + New Application > + Create your own application.

        4. In the What's the name of your app? field, enter “Red Canary”.

        5. Select the Integrate any other application you don't find in the gallery (Non-gallery) option and click Create.

        6. Go to All applications and click the newly created Red Canary app.

        7. In the left-hand menu, click Single sign-on and select the SAML method.

        3 Microsoft Entra ID / Red Canary | Configure SSO Properties

        1. In the Basic SAML Configuration section, click Edit.

        2. Click Add Identifier.

        3. Return to the Red Canary SSO settings page, then copy the URL from the Entity / Issuer field and paste it into the Entra Identifier field.

        4. In the Entra Reply URL field, enter the following URL, replacing mysubdomain with your actual subdomain: https://mysubdomain.my.redcanary.co/saml_sp/consume

        5. On the Entra SSO settings page, click Save and close out of the SAML configuration popover.

        6. In the Attributes & Claims section, make sure the fields look like this:

          • Email: user.mail

          • LastName: user.surname

          • FirstName: user.givename

          • Unique User Identifier: user.userprincipalname

            NOTE

            The Email address and Unique User Identifier claims must be mapped to the same Entra ID attribute that contains the user's email address. To ensure the correct attribute is used:

            1. In your Entra SSO settings, navigate to Users and groups.

            2. Select any user.

            3. In the Properties tab, identify the attribute that contains their email address.

            4. Go to the Attributes & Claims section of your SSO setup and confirm that both the Email address and Unique User Identifier claims are sourced from that same attribute (i.e., user.userprincipalname, user.mail).

        7. In the SAML Certificates sec tion, click Download next to Certificate (Base64).

        8. Open the downloaded certificate in a text editor and copy it.

        9. On the Red Canary SSO settings page, paste the downloaded certificate into the Identity Provider X509 Cert field.

        10. On the Microsoft Entra SSO settings page, scroll down to the Set up Red Canary section, where you’ll copy each field and paste it into the Red Canary SSO settings page:

          • Copy Login URL and paste it into the Identity Provider SSO Target URL field

          • Copy Microsoft Entra Identifier and paste it into the Identity Provider Entity ID field

          • Copy Logout URL and paste it into the Identity Provider SLO Target URL field

        11. On the Red Canary SSO settings page, in the Email Attribute field, type “email.”

        12. Click Save.

        13. Return to the Entra SSO settings page and click Test this application.

        4 Red Canary | Require SSO for User Login

        Once you’ve successfully tested your setup, go to the Red Canary SSO settings page and check the box Disable user / password login and require login via Single Sign On. This requires SSO login for all user logins. Make sure to click Save to apply the change.

        Was this article helpful?
        What's Next
        Change password!
        Changing your password will log you out immediately. Use the new password to log back in.
        Change profile
        Success!
        First name must have atleast 2 characters. Numbers and special characters are not allowed.
        Last name must have atleast 1 characters. Numbers and special characters are not allowed.
        Enter a valid email
        Enter a valid password
        Your profile has been successfully updated.
        Logout