1. FacilityOS Help Center
  2. FacilityOS
  3. Integrations

Set up single sign-on for FacilityOS in Microsoft Entra ID

Hamzah Ahmad
Updated

You can set up FacilityOS with Microsoft Entra ID through an IdP-initiated sign-in, which allows users to access FacilityOS through My Apps.

Before you start

Make sure the following prerequisites are met:

  • A Microsoft Entra user account with an active subscription. If you need to create an account, go to Microsoft Azure.
  • Your Microsoft Entra user account must have one of the following roles:
    • Application Administrator
    • Cloud Application Administrator
  • Make sure the email addresses of your users in FacilityOS match those in Microsoft Entra ID. Users will not be able to sign in if their email addresses are different.

Add FacilityOS as an application

Add FacilityOS as an application in Microsoft Entra ID to generate an App Federation Metadata URL. You will need to provide this URL to your customer success representative or to the FacilityOS support team so that you can Configure single sign-on.

  1. Sign in to the Microsoft Entra admin center.
  2. Under "Azure services", click Microsoft Entra ID.
    Screenshot showing the Microsoft Entra ID service highlighted.
  3. In the left sidebar, click Manage, then select Enterprise applications.
    Screenshot showing "Enterprise applications" highlighted.
  4. Click New application.
    Screenshot showing "New application" highlighted.
  5. Click Create your own application.
  6. In the "Create your own application" panel, enter any name for the app, such as "FacilityOS", then click Next.
  7. From the left sidebar, click Manage, then select Single sign-on.
    Screenshot showing "Single sign-on" highlighted.
  8. Click SAML.
  9. Scroll down to "SAML Certificates" and copy the App Federation Metadata URL Send this URL to your customer success representative or the FacilityOS Support team, and let them know you would like to set up single sign-on (SSO) with Microsoft Entra ID. You will then receive a Reply URL that you can use to Configure single sign-on.

Configure single sign-on

After you receive the Reply URL, you can configure single sign-on in Microsoft Entra ID.

  1. Sign in to the Microsoft Entra admin center.
  2. Under "Azure services", click Microsoft Entra ID.
    Screenshot showing the Microsoft Entra ID service highlighted.
  3. In the left sidebar, click Manage, then select Enterprise applications.
    Screenshot showing "Enterprise applications" highlighted.
  4. Select the FacilityOS app created in Add FacilityOS as an application.
  5. In the left sidebar, click Manage, then select Single sign-on.
    Screenshot showing "Single sign-on" highlighted.
  6. In the "Basic SAML Configuration" section, click Edit.
    Screenshot showing the "Edit" option in Basic SAML Configuration.
  7. Click Add identifier, then enter: https://login.facilityos.com/saml2

  8. Click Add reply URL, enter the reply URL you received, and then click Save.

    Note:

    FacilityOS identifies users based on the Name ID claim. By default, this claim uses the username attribute, also known as the user principal name. If users need to be identified by a different attribute, edit your attributes and claims.

Edit attributes and claims

In the Microsoft Entra admin center, you can edit the attributes and claims for the FacilityOS app. To learn more about Attribute & Claims, see Customize SAML token claims.

  1. In the "Attributes & Claims" section, click Edit.
    screenshot showing the "Edit" option in Attributes & Claims.
  2. Click Unique User Identifier (Name ID).
  3. In the "Choose name identifier format" section, complete the required fields to specify how users are identified. The following example identifies users by their email address:
    • Name identifier format: Email address
    • Source: Attribute
    • Source Attribute: user.mail
  4. Click Save.

Manage access for users or groups

The FacilityOS app is available to everyone in your tenant by default. To limit access, assign specific users or groups to the app, then restrict the app so that only those assigned can access it.

Assign users or groups to the FacilityOS app

  1. Sign in to the Microsoft Entra admin center.
  2. Under "Azure services", click Microsoft Entra ID.
    Screenshot showing the Microsoft Entra ID service highlighted.
  3. In the left sidebar, click Manage, then select Enterprise applications.
    Screenshot showing "Enterprise applications" highlighted.
  4. Select the FacilityOS app.
  5. In the left sidebar, click Users and groups.
  6. Click Add user/group.
  7. On the "Add Assignment" panel, under "Users and groups", click None Selected
  8. Search for and select the users or groups that you want to assign to the FacilityOS app.
  9. Click Select, then click Assign.

Restrict access to the FacilityOS app

After assigning users or groups to the FacilityOS app, you can restrict access to it so that only assigned users or groups have access.

  1. Sign in to the Microsoft Entra admin center.
  2. Under "Azure services", click Microsoft Entra ID.
    Screenshot showing the Microsoft Entra ID service highlighted.
  3. In the left sidebar, click Manage, then select Enterprise applications.
    Screenshot showing "Enterprise applications" highlighted.
  4. Select the FacilityOS app.
  5. In the left sidebar, click Manage, then select Properties.
    Screenshot showing "Properties" highlighted.
  6. Set "Assignment Required?" to Yes, then click Save.
Was this article helpful?
1 out of 1 found this helpful