Skip to main content

Microsoft Entra ID SSO Setup Guide

This guide walks you through configuring Single Sign-On (SSO) for Junipa using Microsoft Entra ID (formerly Azure Active Directory).

Prerequisites

  • Microsoft Entra ID admin access -- You need administrator privileges in your Microsoft Entra ID (Azure AD) tenant.
  • Junipa admin access -- You need administrator access to your Junipa instance.
  • Your school's Junipa domain (e.g., yourschool.junipa.com.au).

Step 1: Register an Application in Microsoft Entra ID

  1. Sign in to the Microsoft Entra admin centre.
  2. Navigate to Identity > Applications > App registrations.
  3. Click New registration.
  4. Configure the registration:
    • Name: Enter a recognisable name (e.g., "Junipa - YourSchool").
    • Supported account types: Select Accounts in this organizational directory only (single tenant).
    • Redirect URI: Select Web as the platform and enter your redirect URI: 
      https://yourschool.junipa.com.au/__/auth/handler
      Replace yourschool with your actual Junipa subdomain.
  5. Click Register.

Step 2: Note Down the Application Details

After registration, note down the following values from the application overview page:

  • Application (client) ID -- A unique identifier for the app registration.
  • Directory (tenant) ID -- Your Microsoft Entra ID tenant identifier.

You will need both of these when configuring Junipa.

Step 3: Create a Client Secret

  1. In the app registration, navigate to Certificates & secrets.
  2. Click New client secret.
  3. Enter a description (e.g., "Junipa SSO") and select an expiry period.
  4. Click Add.
  5. Copy the secret value immediately -- it will not be shown again.
caution

Store the client secret securely. If you lose it, you will need to generate a new one.

Step 4: Configure API Permissions

  1. In the app registration, navigate to API permissions.
  2. Click Add a permission.
  3. Select Microsoft Graph.
  4. Select Delegated permissions.
  5. Add the following permissions:
    • openid
    • profile
    • email
  6. Click Add permissions.
  7. Click Grant admin consent for [Your Organisation] to approve the permissions.

Step 5: Configure SSO in Junipa

  1. Log into Junipa as an administrator.
  2. Navigate to Administration > Settings > SSO Configuration (or Authentication Settings, depending on your version).
  3. Enter the following details:
    • Provider: Microsoft Entra ID
    • Client ID: The Application (client) ID from Step 2
    • Client Secret: The secret value from Step 3
    • Tenant ID: The Directory (tenant) ID from Step 2
  4. Click Save.

Step 6: Test the Configuration

  1. Open your Junipa login page in a new browser window (or an incognito/private window).
  2. You should see a Sign in with Microsoft button.
  3. Click the button.
  4. You will be redirected to the Microsoft login page.
  5. Authenticate with a Microsoft 365 account from your organisation.
  6. After successful authentication, you should be redirected back to Junipa and logged in.

If the test fails, check the troubleshooting tips below.

Troubleshooting

"Redirect URI mismatch" error

The redirect URI in Junipa does not match what is registered in Microsoft Entra ID.

Solution: Ensure the redirect URI in your app registration exactly matches:

https://yourschool.junipa.com.au/__/auth/handler

Check for trailing slashes, typos, and protocol (must be https).

"AADSTS50011" or "Reply URL does not match"

Same as above -- the redirect URI configuration is incorrect.

"Unauthorized domain" error

The domain used for authentication does not match the configured auth domain in Junipa.

Solution: Ensure your Junipa instance's auth domain is set to your custom domain (e.g., yourschool.junipa.com.au) and not a default Firebase domain.

SSO button not appearing

SSO configuration may not have been saved correctly, or the page needs to be refreshed.

Solution: Clear your browser cache, reload the login page, and verify the SSO settings are saved in Junipa administration.

User authenticated but cannot access Junipa

The Microsoft authentication succeeded but the user does not have a Junipa account.

Solution: Ensure the user has been added to Junipa via Team Management. If auto-provisioning is not enabled, accounts must be created manually before users can log in via SSO.

Maintaining Your SSO Configuration

  • Client secret expiry -- Client secrets expire based on the duration you selected. Set a calendar reminder to regenerate the secret before it expires, and update it in Junipa.
  • Staff changes -- When staff leave your organisation and their Microsoft account is disabled, they will automatically lose access to Junipa via SSO.
  • Testing after changes -- After any changes to the Entra ID app registration or Junipa SSO settings, always test the login flow.