Microsoft Single Sign-On (SSO)

Single Sign-on allows you to use your work login credentials to sign into Simply Stakeholders.

To set up Single Sign-On (SSO) for Simply Stakeholders, you need Azure AD (or Office 365/Microsoft 365 which includes Azure AD). You need to provide your Tenant ID (a globally unique identifier (GUID) that is different than your tenant name or domain), to the Simply Stakeholders team so we can set up your account from our end.

Once the Tenant ID has been set up in your account, your IT administrator can do the following to set up the SSO:

  1. Open the Azure Portal and navigate to the Azure AD page
  2. Navigate to the "Enterprise Applications" tab and click "New application"
  3. Search for "Simply Stakeholders", select the "Simply Stakeholders - Darzin Software" result and click "Sign up for Simply Stakeholders"
  4. Click "Sign in with Microsoft", which will redirect to an Azure AD login page
  5. Consent to the required permissions on behalf of the organisation:
    • Sign users in (openid)
    • View users' basic profile (profile)
    • Maintain access to data you have given it access to (offline_access)
    • Read all users' basic profiles (User.ReadBasic.All)
  6. You will be redirected to an "Error signing in with external account" page, this can be ignored

Adding a user (with SSO enabled)

Once your account has MS SSO enabled:

  1. User Add/Edit pages will include a Microsoft Identity Platform section with User Principal Name field
  2. When the admin user is signed in with MS SSO, this page will display the UPN for any user with a linked Azure AD account and allow linking an account for a new/existing user.
  3. When the admin user isn't signed in with MS SSO, the field won't display any values and attempting to enter a value will fail when the user is saved.
  4. If the field is blank, no change will be made to the user's linked account.

Link Azure AD accounts

Once that's done, the users can link their Azure AD accounts from Simply Stakeholders:

  1. Log into Simply Stakeholders
  2. Navigate to the Admin > External Accounts (SSO) page
  3. Click the "Sign in with Microsoft" button, which will open an Azure AD login page in a new tab
  4. If the user is already signed in, they'll be automatically redirected to a "Successfully linked external account" page.

Once the users have linked their accounts, they can log in by clicking the "Sign in with Microsoft" button on the login page instead of entering their Client Code, Username and Password.

Password resets for SSO enabled accounts

If the account has the "prevent password login" option enabled: 

  • Users with linked external account can not be sent password set up or reset emails (includes both the button on the User Edit page and the Forgot Password feature on the login page).
  • Invitations to new users will only offer the option to log in using the "Sign in with Microsoft" button on the login page.

If the account has the "prevent password login" option disabled: 

  • Creating a user with a linked AAD account, the invitation email will include a password creation link as well as a reminder that they can also log in using the "Sign in with Microsoft" button on the login page.
  • Users with linked AAD accounts can still be sent password reset emails.