With deskbird, you can integrate Single Sign-On (SSO) using Microsoft Entra ID (formerly Azure AD). This ensures secure authentication and convenient access across your organization.
- Set up SSO with Entra ID
- Manual OIDC setup (no Enterprise Application required)
- Restrict permissions via Application Assignment
1. Set up SSO with Entra ID
To activate SSO, an IT administrator must install the Microsoft Entra ID Enterprise Application and grant the required permissions.
👉 Click here to install and grant access:
https://login.microsoftonline.com/common/adminConsent?client_id=60e10e49-86e8-4755-ac34-2804c82237c6&redirect_uri=https://www.deskbird.com/single-sign-on-via-azure-ad
The required permissions are:
- User.Read: Allows users to sign in to deskbird and allows deskbird to read the profiles of signed-in users. Note: deskbird has no access to the profile data of users who have never signed in.
- Group.Read.All: Allows deskbird to read all user groups. This is used, for instance, to import user groups in the admin portal or to sync groups when users sign in.
There are additional standard permissions that are automatically added and don't require admin consent.
- offline_access: Allows deskbird to use refresh tokens to retrieve data via the Microsoft Graph API.
- email, openid, and profile: Automatically added permissions that grant deskbird similar permissions as User.Read but with less profile information.
The permission type is delegated, meaning that deskbird accesses the Graph API as the signed-in user but with access limited by the selected permission.
💡 Note: User profile pictures are automatically synced during the first SSO authentication, if available.
💡 If SSO is configured as the only login method for your organisation, this restriction applies to internal users only. External users (e.g. contractors) can still be added to deskbird and can use email and password to log in, as they fall outside your identity provider's scope.
2. Manual OIDC setup (no Enterprise Application required)
If your organization cannot install the deskbird Enterprise Application from the Microsoft app gallery, you can set up SSO by creating your own App Registration in Entra ID and sharing the credentials with deskbird. The integration is then configured by the deskbird support team.
Step 1: Create the App Registration
- Go to Azure Portal > Microsoft Entra ID > App registrations > New registration.
- Enter a name, for example
deskbird SSO. - Under Supported account types, select Accounts in this organizational directory only (single tenant).
- Under Redirect URI, select the platform Web and enter:
https://api.deskbird.app/v2/auth/oAuthRedirectHandler. - Click Register.
⚠️ Note: Make sure the Redirect URI matches exactly the one above. A mismatch (or a missing entry) will cause an AADSTS50011 error when a user tries to sign in.
Step 2: Note the IDs
- From the app's Overview page, copy the Application (client) ID and the Directory (tenant) ID.
Step 3: Create a Client Secret
- Go to Certificates & secrets > Client secrets > New client secret.
- Enter a description, for example
deskbird production, and choose an expiry duration. - Click Add and copy the Value immediately — it will not be shown again.
Step 4: Configure API permissions
- Go to API permissions > Add a permission > Microsoft Graph > Delegated permissions.
- Add the following permissions:
openid,profile,email,User.Read. - Click Grant admin consent for [Organization].
Step 5: Share credentials with deskbird
Contact deskbird support and provide the following three values:
- Directory (tenant) ID
- Application (client) ID
- Client Secret value
The deskbird support team will complete the configuration on your behalf.
⚠️ Note: The Client Secret value is sensitive. Share it securely and avoid sending it over unencrypted channels.
3. Restrict permissions via Application Assignment
You can restrict which users or groups are allowed to access deskbird using SSO.
- In the Entra admin center, open the deskbird Enterprise App.
- Under Properties, set Assignment required to "Yes".
- Add specific users or groups under Users and groups.
⚠️ This restricts sign-in access, but does not provision users. For automated provisioning, a separate SCIM configuration is required.
⚠️ AADSTS50105 error: This error occurs when someone tries to sign in but isn't assigned to a group that's allowed access. Ask your internal IT team to add the user to the correct access group (or update their permissions), then try again.