1. Configure Your Microsoft EntraID

Sign into Microsoft: Select Sign in with Microsoft on the Dispel Dashboard https://dashboard.dispel.io/login.
- This will redirect you to log into your admin account on Microsoft.

Enable Dispel to Access Your SSO Accounts: After logging into your admin account in Microsoft, you will be prompted to enable SSO for your organization on the Dispel platform. Check Consent on behalf of your organization and hit Accept.
- Note: This configures your Dispel Dashboard to use Dispel's Registered App for SSO with Azure's Entra ID. Only invited users can create Dispel accounts, regardless of EntraID membership. Once created, users authenticate via their Microsoft account.
OIDC Integration Set up: The above form of SSO checks against the user’s O365 account. If desired, Dispel can also provide a standard OIDC integration with your organization’s specific EntraID. This would limit allowed SSO users to only those with a login connected to your organization’s EntraID.
- Register New App: On Azure, search for the App Registrations service. Click on + New Registration.
- Configure the EntraID API Functionality: Select your new Dispel App and navigate to the Authentication page.
  - Add the login-callback and app-launcher URIs
    https://dashboard.dispel.io/client-app-launcher/oktaauth.dispel.io
    
    https://dashboard.dispel.io/oauth/login-callback
  - Add the Front-channel logout URL
    https://dispellogout/
  - Check Access Tokens and ID Tokens.
  - Check Accounts in this organization directory only.
  - Save the settings
- Add API Permissions: Select API Permissions for the Dispel App and enable these OpenID Permissions: email, openid, and profile. Note that offline_access is no longer needed.
- Add Token Configurations: Select Token Configurations and allow email in the ID token type to address the user by email.
- In Expose an API, create a new scope.

2. Configure the Integration on Dispel's Dashboard

Log into the Dispel Dashboard as an organization admin, and navigate to Settings → Authentication. The Okta setup here refers to all OIDC integrations.
- Client Secret: generated in Azure app registration page
- Client ID: generated in Azure app registration page
- URL: This is the Authority URL in the Endpoints sub-tab of the Overview section of the Dispel App in your Azure Instance.
- Organization Identifier: (<Organization-Name>EntraID for example) for individuals to use when logging in via “Okta” on the Login Page.

3. Test an SSO Sign-In

Have another user in your organization’s Azure AD attempt to sign in with Okta on the Dispel Dashboard to verify success.

^^ This is the Organization Identifier we set in the Dispel Dashboard settings earlier. ^^

4. Enforce SSO for your Organization

Enforceable SSO prevents users from gaining access to the platform by any means other than your organization’s approved Single Sign-On mechanism.

Logged into an Organization Admin Account, select the Settings > Security tabs.
To enforce SSO, check the Single Sign-On box in the security settings. This will require all of your organization’s users to sign in via their own Microsoft EntraID account. Note that in order to enforce this authentication method, the pre-requisite is setting up your SSO as an admin.
To test the enforcement of SSO, return to the Dispel Dashboard Login page https://dashboard.dispel.io/login and attempt to login with your Dispel Credentials. You should receive a generic login error, because i) your account is now configured to authenticate with SSO, and ii) you do not want intruders to know what the next step would be for a login attempt.

Dispel MFA Integrations

System Components & Responsibility

Configuring Syslog Forwarding from Dispel to Log Aggregators

Single Tenant Dashboard Deployment: Integrate your Organization's Azure