Skip to main content
All CollectionsIntegrations
How To: Set up your EntraID Integration with Dispel
How To: Set up your EntraID Integration with Dispel

This article provides a walkthrough for how to integrate your organization's Microsoft EntraID authentication method for logging in to Dispel.

Clay Hard avatar
Written by Clay Hard
Updated this week

1. Configure Your Microsoft EntraID

  • Sign into Microsoft: Select Sign in with Microsoft on the Dispel Dashboard https://dashboard.dispel.io/login.

    • This will redirect you to log into your admin account on Microsoft.

  • Enable Dispel to Access Your SSO Accounts: After logging into your admin account in Microsoft, you will be prompted to enable SSO for your organization on the Dispel platform. Check Consent on behalf of your organization and hit Accept.

    • Note: This configures your Dispel Dashboard to use Dispel's Registered App for SSO with Azure's Entra ID. Only invited users can create Dispel accounts, regardless of EntraID membership. Once created, users authenticate via their Microsoft account.

  • OIDC Integration Set up: The above form of SSO checks against the user’s O365 account. If desired, Dispel can also provide a standard OIDC integration with your organization’s specific EntraID. This would limit allowed SSO users to only those with a login connected to your organization’s EntraID.

    • Register New App: On Azure, search for the App Registrations service. Click on + New Registration.

    • Configure the EntraID API Functionality: Select your new Dispel App and navigate to the Authentication page.

      • Add the login-callback and app-launcher URIs

        https://dashboard.dispel.io/client-app-launcher/oktaauth.dispel.io

        https://dashboard.dispel.io/oauth/login-callback
      • Add the Front-channel logout URL

        https://dispellogout/
      • Check Access Tokens and ID Tokens.

      • Check Accounts in this organization directory only.

      • Save the settings

    • Add API Permissions: Select API Permissions for the Dispel App and enable these OpenID Permissions: email, openid, and profile. Note that offline_access is no longer needed.

    • Add Token Configurations: Select Token Configurations and allow email in the ID token type to address the user by email.

    • In Expose an API, create a new scope.

2. Configure the Integration on Dispel's Dashboard

  • Log into the Dispel Dashboard as an organization admin, and navigate to SettingsAuthentication. The Okta setup here refers to all OIDC integrations.

    • Client Secret: generated in Azure app registration page

    • Client ID: generated in Azure app registration page

    • URL: This is the Authority URL in the Endpoints sub-tab of the Overview section of the Dispel App in your Azure Instance.

    • Organization Identifier: (<Organization-Name>EntraID for example) for individuals to use when logging in via “Okta” on the Login Page.

3. Test an SSO Sign-In

  • Have another user in your organization’s Azure AD attempt to sign in with Okta on the Dispel Dashboard to verify success.

    ^^ This is the Organization Identifier we set in the Dispel Dashboard settings earlier. ^^

4. Enforce SSO for your Organization

Enforceable SSO prevents users from gaining access to the platform by any means other than your organization’s approved Single Sign-On mechanism.

  • Logged into an Organization Admin Account, select the Settings > Security tabs.

  • To enforce SSO, check the Single Sign-On box in the security settings. This will require all of your organization’s users to sign in via their own Microsoft EntraID account. Note that in order to enforce this authentication method, the pre-requisite is setting up your SSO as an admin.

  • To test the enforcement of SSO, return to the Dispel Dashboard Login page https://dashboard.dispel.io/login and attempt to login with your Dispel Credentials. You should receive a generic login error, because i) your account is now configured to authenticate with SSO, and ii) you do not want intruders to know what the next step would be for a login attempt.

Did this answer your question?