Skip to main content
LeaseWizard Docs
AuthenticationEnterprise SSO

Microsoft Entra ID setup

Step-by-step Entra ID app registration, client secret, and token permissions for LeaseWizard SSO.

Your IT team does steps 1–3 on your Entra tenant. LeaseWizard does steps 4–5 on our side after you share the values.

1. Register an application in Entra ID

In the Azure portal: Entra ID → App registrations → New registration.

FieldValue
NameLeaseWizard SSO (or similar — visible in admin consent dialogs)
Supported account typesAccounts in this organizational directory only (Single tenant)
Redirect URI (platform: Web)https://auth.leasewizard.ai/accounts/oidc/<provider_id>/login/callback/ — LeaseWizard will email you the exact <provider_id> for your connection. Do not guess it.
Front-channel logout URL(optional, leave blank)

2. Create a client secret

Certificates & secrets → New client secret.

  • Copy the secret Value immediately (it is only shown once).
  • Send the secret to LeaseWizard through your agreed secure channel (see Handing over secrets). Do not email it in cleartext.

3. Configure token / API permissions

API permissions → Microsoft Graph → Delegated permissions:

  • openid
  • profile
  • email
  • offline_access (optional; only needed if we ever request refresh tokens from Entra — not required for login today)

Grant admin consent for your tenant.

Token configuration (optional but recommended):

Add the following optional claims to the ID token if they are not already present:

  • email
  • family_name
  • given_name
  • preferred_username

LeaseWizard reads identity from the ID token's standard claims:

LeaseWizard fieldOIDC claimDefault claim name
Subject / external IDsubsub
Emailemailemail
Email-verified flagemail_verifiedemail_verified
First namegiven_namegiven_name
Last namefamily_namefamily_name

Non-standard claim names (e.g. if your tenant uses a custom email claim) can be configured on LeaseWizard's side — tell us which claim to use.

4. Information you send to LeaseWizard

Please provide:

  1. Tenant ID (GUID) — e.g. 11111111-2222-3333-4444-555555555555
  2. Issuer URLhttps://login.microsoftonline.com/<tenant-id>/v2.0
  3. Discovery URL (for verification) — https://login.microsoftonline.com/<tenant-id>/v2.0/.well-known/openid-configuration
  4. Application (client) ID — GUID from the app registration
  5. Client secret value — via the secure channel in Handing over secrets.
  6. Email domains your users will sign in with (e.g. acme.com, acme.co.uk). These will be verified (see Domain verification).
  7. Default LeaseWizard role to assign if JIT provisioning is enabled (typically Member or Viewer).
  8. JIT provisioning ON or OFF? See User provisioning.

5. What LeaseWizard does on our side

We will:

  1. Create an SSO connection record for your organization (protocol: OIDC, status: pending).
  2. Encrypt your client secret at rest using authenticated symmetric encryption; the encryption key is held in our managed secrets store and is not accessible to application code at rest.
  3. Generate an immutable per-connection identifier and send you the exact redirect URI to register in step 1.
  4. Verify your email domain(s) (see Domain verification).
  5. Flip the connection to active after a successful end-to-end test login.
  6. Send you the SSO login URL: https://app.leasewizard.ai/login — your users click "Sign in with SSO" and enter their email; we route them to your IdP automatically based on verified domain.

Typical turnaround once we have all values: 1 business day.

Enterprise SSO (OIDC)

Architecture and supported providers for per-organization enterprise SSO against your own IdP.

Handing over secrets

Secure channels for sharing the OIDC client secret with LeaseWizard.

On this page

1. Register an application in Entra ID2. Create a client secret3. Configure token / API permissions4. Information you send to LeaseWizard5. What LeaseWizard does on our side
Microsoft Entra ID setup | LeaseWizard