Overview
This guide explains:
-
Why organizations may choose Single Sign-On (SSO) instead of CircuiTree-only MFA
-
How to configure Microsoft Entra ID (Azure AD) for CircuiTree SSO
-
How to complete the final configuration in CircuiTree
-
How to troubleshoot common SSO issues
This setup uses OIDC (OpenID Connect) and supports automatic user provisioning and group-based access.
Why Use Single Sign-On (SSO) Instead of CircuiTree MFA?
CircuiTree supports both Multi-Factor Authentication (MFA) and Single Sign-On (SSO). While MFA improves login security, SSO provides additional control, automation, and scalability for organizations that already manage users in Microsoft Entra ID.
CircuiTree MFA (Baseline Security)
CircuiTree MFA:
-
Adds a second verification step after username/password
-
Is configured and managed inside CircuiTree
-
Requires users to maintain separate CircuiTree credentials
MFA strengthens security but does not centralize identity or user lifecycle management.
SSO with Microsoft Entra ID (Recommended)
With SSO enabled:
-
CircuiTree does not store or manage passwords
-
Authentication is handled entirely by your organization’s Entra ID
-
Only users inside your directory can sign in
-
MFA, device rules, and Conditional Access are enforced by your IT policies, not CircuiTree
Key Benefits of SSO
Stronger security
-
Access restricted to users in your Entra ID tenant
-
Entra ID MFA and Conditional Access policies apply automatically
Centralized user management
-
Add, update, or remove users once, in Entra ID
-
No separate CircuiTree passwords to manage
-
Entra ID groups can control CircuiTree access
Automatic user provisioning
-
New users are created automatically on first login
-
Access is assigned based on Entra ID group membership
-
Changes in group membership update access automatically
Improved user experience
-
One login across company systems
-
Familiar Microsoft sign-in experience
Reduced IT & support overhead
-
Fewer password reset requests
-
Clear responsibility split: IT manages identity, CircuiTree consumes it
MFA with SSO
MFA is still enforced — but by Microsoft Entra ID, not CircuiTree.
-
CircuiTree MFA is bypassed when SSO is enabled
-
Entra ID MFA and Conditional Access policies take precedence
-
Security remains consistent across all company applications
Before You Begin
You will need:
-
Admin access to Microsoft Entra Admin Center
-
Admin access to CircuiTree
-
A secure place to store the Client Secret value (visible only once)
Microsoft Entra ID Configuration
App Registration
In Microsoft Entra Admin Center:
-
Navigate to App registrations
-
Create a new app registration
-
Use:
-
Name:
CircuiTree OIDC -
Supported account types:
Accounts in this organizational directory only (Single tenant)
-
Authentication Settings
In the app’s Authentication section:
-
Add the following Redirect URI under Web:
https://app.circuitree.com/signin-oidc -
Enable ID tokens under Implicit grant and hybrid flows
-
Confirm supported account type is Single tenant
Client Secret
In Certificates & secrets:
-
Create a new client secret
-
Use a 24-month expiration (730 days)
-
Copy and securely store the Secret VALUE immediately
This value cannot be retrieved later.
API Permissions
In API permissions:
-
Add Microsoft Graph Application permissions:
-
Directory.Read.All -
Group.Read.All
-
-
Confirm User.Read (Delegated) is present
-
Grant Admin consent
Group Claims (Optional but Recommended)
If using group-based access:
-
Go to Token configuration
-
Add a Groups claim
-
Select:
-
Security groups
-
Directory roles
-
All groups
-
This allows CircuiTree to assign access based on Entra ID group membership.
Required Values for CircuiTree
From the Entra ID app:
-
Application (Client) ID
-
Directory (Tenant) ID
-
Client Secret VALUE
CircuiTree Configuration
In CircuiTree → Config → Integrations → SSO, enter:
-
Client ID: Application (Client) ID
-
Client Secret: Client Secret VALUE
-
Tenant ID: Directory (Tenant) ID
-
Authority URL:
https://login.microsoftonline.com/{TenantID}/v2.0
Save the configuration and test login with a user in Entra ID.
Validation Checklist
After setup:
-
Confirm a test user can log in successfully
-
Confirm correct access is assigned based on group membership
-
Set a reminder for Client Secret expiration (24 months)
Common Issues & Troubleshooting
Login fails after Microsoft sign-in
Check:
-
Client ID, Tenant ID, and Client Secret match Entra ID
-
Client Secret is not expired
-
Redirect URI is exactly:
https://app.circuitree.com/signin-oidc
User logs in but has no or incorrect access
Check:
-
Group claims are enabled in Entra ID
-
User is in the correct Entra ID group
-
Groups are mapped correctly in CircuiTree
Have the user log out and back in to refresh access.
New user logs in but is not created in CircuiTree
Check:
-
API permissions include
Directory.Read.AllandGroup.Read.All -
Admin consent was granted
User disabled in Entra ID still appears active in CircuiTree
-
Group membership updates sync on login
-
Disable/enable sync may not be immediate
If access persists unexpectedly, contact CircuiTree Support with:
-
Organization name
-
User email
-
Time the user was disabled in Entra ID
MFA behavior is different than expected
-
CircuiTree MFA is bypassed when SSO is enabled
-
Entra ID MFA and Conditional Access policies apply instead
Review MFA rules in Entra ID.
Concern: “Anyone with a Microsoft account can log in”
Check:
-
Supported account type is Single tenant
-
Only users in your Entra ID directory should authenticate
Support Assistance
If issues continue, please contact support and provide:
-
Organization name
-
Affected user email(s)
-
Screenshots or error messages
-
Confirmation that:
-
IDs and secret were verified
-
Admin consent was granted
-
Group claims are configured
-
Completion
Once configured, users can authenticate to CircuiTree using Microsoft Entra ID (OIDC Single Sign-On) with centralized security and automatic provisioning.