---
title: "Connect to Microsoft Entra ID"
slug: "connect-to-microsoft-entra"
tags: ["#version  Cloud", "#version 7.10", "#version 7.11", "#version 7.12", "Authentication"]
updated: 2025-11-28T16:05:10Z
published: 2025-11-28T16:05:10Z
---

> ## Documentation Index
> Fetch the complete documentation index at: https://knowledgecenter.docuware.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Connect to Microsoft Entra ID

DocuWare supports Microsoft Entra ID (formerly: Azure Active Directory) as an Identity Provider for single sign-on. Here's how to connect DocuWare to Microsoft Entra ID.

Note that the configuration dialog has slightly changed with DocuWare 7.13; the configuration itself has not changed.

1. Go to **DocuWare Configurations > General > Security** and activate the option **Enable single sign-on**. ![](https://cdn.document360.io/0108e24e-b3e8-446c-b670-66b1d2a9e861/Images/Documentation/{26946C32-CB8D-4E83-A6FB-36A9B06C1849}.png)
2. Open Entra ID from the Azure Portal. Create a new app registration in Microsoft Entra ID ![](https://cdn.document360.io/0108e24e-b3e8-446c-b670-66b1d2a9e861/Images/Documentation/{3A4292DE-4A50-4AE6-B401-AE8CF5DDB9FE}.png) 3. Select the supported account types. ![](https://cdn.document360.io/0108e24e-b3e8-446c-b670-66b1d2a9e861/Images/Documentation/{AEF11409-CE2B-4A9B-9B2B-49BA50AAC053}.png)

4. Configure the API permissions. The most basic API settings only require **Microsoft.Graph** with the **User.Read** **Delegated**permission and **Granted** permission status. More advanced API/Permission settings are supported, but not all have been tested fully.

![](https://cdn.document360.io/0108e24e-b3e8-446c-b670-66b1d2a9e861/Images/Documentation/image(581).png)

5. Add a new redirect URI for the newly created app registration. ![](https://cdn.document360.io/0108e24e-b3e8-446c-b670-66b1d2a9e861/Images/Documentation/image-1763118762408.png)

6. Copy the Callback URL from **DocuWare Configurations > General****> Security > Connection** into the field **URI (Web)** and and activate the option **ID tokens**. ![](https://cdn.document360.io/0108e24e-b3e8-446c-b670-66b1d2a9e861/Images/Documentation/image-1763118176326.png) The final result should look like this: ![](https://cdn.document360.io/0108e24e-b3e8-446c-b670-66b1d2a9e861/Images/Documentation/image-1763118635538.png) 7. Copy the **Application (client) ID** in the overview of the app registration and copy under **Endpoints**the URL to the **OpenID Connect metadata document** and add these in DocuWare in **Security** > **Configure single sign-on connection > For Client ID**or****Issuer URL**.** ![](https://cdn.document360.io/0108e24e-b3e8-446c-b670-66b1d2a9e861/Images/Documentation/image-1763119829077.png) ![](https://cdn.document360.io/0108e24e-b3e8-446c-b670-66b1d2a9e861/Images/Documentation/image-1763118534298.png)

8. Under the **Callback URL** there is a **Test** button. This button will open a new parallel tab where the Administrator can enter Microsoft credentials to test if the configuration is successful or not.

![](https://cdn.document360.io/0108e24e-b3e8-446c-b670-66b1d2a9e861/Images/Documentation/{45733930-1C32-4DAE-A564-46162D45AF7E}.png)

In case you try to save the settings, without testing them first, you will see a warning dialog that is intended to prevent accidental errors. You have to acknowledge the risks that you are taking by saving an untested configuration. ![](https://cdn.document360.io/0108e24e-b3e8-446c-b670-66b1d2a9e861/Images/Documentation/{2D598515-2FFA-4758-BE5B-6A3B9306A2C9}.png)

9. After saving the settings, users have the option of logging on with a DocuWare user name and password, as well as single sign-on via Microsoft.

## Notes:

#### Regarding the option “Security level: High"

The default security level for new SSO configurations is set to **Standard**. The standard security level is sufficient for most use cases. The high security level requires a client secret and is recommended. It can be changed by selecting the radio button located under the **Client ID**. Once selected the UI will be updated and a new text field will be displayed. The field content is protected from visual hacking. ![](https://cdn.document360.io/0108e24e-b3e8-446c-b670-66b1d2a9e861/Images/Documentation/image-1763118439085.png)

This Client Secret Key****has to be generated in the Entra ID application registration settings in the **Certificates and secrets** section. The Entra ID Administrator can generate a new client secret. This secret will become invisible once the Entra ID session is closed.

![](https://cdn.document360.io/0108e24e-b3e8-446c-b670-66b1d2a9e861/Images/Documentation/image-1763118372276.png)

#### **Regarding the option "Automatically link existing users at login"**

If this option is activated, the first time a user logs in with single sign-on, DocuWare will search for a suitable existing DocuWare user with the appropriate user name and email address.

- The same username and email address must be stored in Microsoft Entra ID and in DocuWare.
- The DocuWare user name must correspond to the local part (first part up to @) of the email address of the user in Microsoft Entra ID.

The Microsoft Entra ID user account and the DocuWare user account will only be linked if the user name AND email address match.

Example:

- Entra ID user principal name: peggy.jenkins@peters-engineering.net
- DocuWare username: peggy.jenkins
- DocuWare email address: peggy.jenkins@peters-engineering.net

It is not mandatory for DocuWare users to be created via the User Synchronization app in order to use single sign-on. Even if you create new users manually or import them via an interface, the external user account and the DocuWare account are automatically compared. As soon as a user has been assigned, the user is recognized from this point on based on their external object ID. This means that even if the email address and/or the user name no longer match, the user is still recognized.

#### Enforcing single sign-on

Read more about [enforcing single sign-on](/help/docs/orgnaization-security-settings#enforce-single-signon).

## Supported versions: DocuWare Cloud + 7.14 + 7.13 + 7.12 + 7.11 + 7.10

A service that authenticates users and provides their identity information to other applications, enabling single sign-on (SSO).

Access rights assigned to users that determine what actions they can perform within a system.

The Issuer URL is the unique web address (URL) that identifies an identity provider (IdP) in authentication protocols such as OAuth or OpenID Connect. Applications use the Issuer URL to verify the source of authentication requests and retrieve information about how to connect securely to the identity provider.

A confidential code used by an application to securely prove its identity to an identity provider during authentication.