Administrator guide: setting up SSO (Microsoft) + SharePoint
This page is for IT administrators at a customer organization. End users do not need these steps — for them, see Sign-in & product selection and SharePoint.
Goal: connect Microsoft Entra ID (formerly Azure AD) to Prudai so that:
- users can sign in with their Microsoft account via SSO, and
- projects can import and sync documents from SharePoint.
Both integrations share a single Entra app registration and a single Keycloak Identity Provider. You only configure this once.
Step 1 — App registration in Microsoft Entra ID
Section titled “Step 1 — App registration in Microsoft Entra ID”In the Entra portal (entra.microsoft.com):
- App registrations → New registration
- Name: e.g.
Prudai Platform. - Supported account types: Single tenant (recommended), unless you want to allow multiple tenants.
- Redirect URI (Web):
https://login.prudai.com/realms/<realm>/broker/microsoft/endpointReplace<realm>with your organization’s Keycloak realm. Prudai provides this value.
- Name: e.g.
- After registration, note:
- Application (client) ID
- Directory (tenant) ID
- Certificates & secrets → New client secret
- Set an expiry (max. 24 months) and record the secret value immediately — it cannot be read again later.
API permissions
Section titled “API permissions”Under API permissions → Add a permission → Microsoft Graph → Delegated permissions:
| Scope | Used for |
|---|---|
openid, profile, email, offline_access | SSO login |
User.Read | Profile lookup on first login |
Sites.Read.All | Reading SharePoint sites |
Files.Read.All | Importing files |
Then click Grant admin consent for <tenant>. Without admin consent, every user hits a consent screen or is denied on first login.
Do not grant any
*.Write.*scopes. Prudai never writes back to SharePoint.
Step 2 — Share the details with Prudai
Section titled “Step 2 — Share the details with Prudai”Send the following via a secure channel (e.g. a Prudai support ticket with an attachment, or your account manager):
- Tenant ID
- Client ID
- Client secret
- Email domain(s) of users who should get access (e.g.
@customer.com) - Optional: a list of allowed SharePoint sites if you want to narrow the scope
Based on this, Prudai configures:
- the Microsoft Identity Provider in Keycloak (alias:
microsoft) in your organization’s realm, - token mappers for email, name and (optionally) group membership,
- the SharePoint integration flags for your organization (enabled, configured),
- optionally a per-client IdP filter, so a specific app only accepts Microsoft login and users do not accidentally land on a different login path.
You’ll get a confirmation once the link is in place.
Step 3 — Activate SharePoint per organization
Section titled “Step 3 — Activate SharePoint per organization”Once the backend link is in place, the SharePoint integration still needs to be made connected on your side:
- Sign in as OWNER or ADMIN of the organization.
- Go to Settings → Integrations → SharePoint.
- Click Connect with Microsoft and complete the consent flow with an account that has read access to the SharePoint sites.
All three status flags must now be green:
- enabled — Prudai has turned SharePoint on for this org.
- configured — client-id/secret are present and valid.
- connected — OAuth refresh token stored successfully.
If this fails, see Troubleshooting below.
Step 4 — Verification
Section titled “Step 4 — Verification”After setup, run at least these two checks:
SSO login
- Open your organization’s webapp URL (default:
https://app.prudai.com, or the tenant-specific URL Prudai gave you) in an incognito window. - Choose Login with Microsoft.
- Confirm your name appears in the user menu in the top-right corner.
SharePoint import
- Create a test project via Import from SharePoint.
- Pick a small site or a single top-level folder.
- Wait for the import job to finish and open one of the imported documents.
Both work → done.
Troubleshooting
Section titled “Troubleshooting”| Symptom | Cause | Fix |
|---|---|---|
| ”AADSTS50011: redirect URI mismatch” | Redirect URI in Entra does not exactly match the Keycloak broker endpoint | Copy the URI exactly from step 1, including the realm name. No trailing slash. |
| ”Consent required” on every login | Admin consent missing | In Entra go to API permissions and click Grant admin consent. |
| SharePoint button stuck on “Not connected” | OAuth refresh token missing or expired (e.g. after secret rotation) | Repeat step 3 (reconnect via Settings). |
Permission denied on a specific site | The connecting account has no rights on that site | Grant SharePoint read access or reconnect with an account that already has it. |
| SSO works, but user gets no product access | Email domain is not on the org’s allow-list, or entitlements are missing | Forward the domain to Prudai support; see Sign-in & product selection. |
| Client secret expired | Secret reached its end-date | Create a new secret in Entra, send it to Prudai, then repeat step 3. |
Maintenance
Section titled “Maintenance”- Client secret: note the expiry in your own calendar. Rotate well before expiry; an expired secret breaks both SSO and SharePoint sync.
- Adding scopes: any extra Graph scope requires admin consent again.
- Offboarding a user: disabling them in Entra is enough. Revoking
offline_accessalso stops SharePoint sync for that user.
More general background: Privacy & security · Troubleshooting & support.