Tutorial: Azure Active Directory integration with Marketo

In this tutorial, you learn how to integrate Marketo with Azure Active Directory (Azure AD). Integrating Marketo with Azure AD provides you with the following benefits:

  • You can control in Azure AD who has access to Marketo.
  • You can enable your users to be automatically signed-in to Marketo (Single Sign-On) with their Azure AD accounts.
  • You can manage your accounts in one central location - the Azure portal.


To configure Azure AD integration with Marketo, you need the following items:

  • An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial here
  • Marketo single sign-on enabled subscription

Scenario description

In this tutorial, you configure and test Azure AD single sign-on in a test environment.

  • Marketo supports IDP initiated SSO


Identifier of this application is a fixed string value so only one instance can be configured in one tenant.

To configure the integration of Marketo into Azure AD, you need to add Marketo from the gallery to your list of managed SaaS apps.

  1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.
  2. On the left navigation pane, select the Azure Active Directory service.
  3. Navigate to Enterprise Applications and then select All Applications.
  4. To add new application, select New application.
  5. In the Add from the gallery section, type Marketo in the search box.
  6. Select Marketo from results panel and then add the app. Wait a few seconds while the app is added to your tenant.

Alternatively, you can also use the Enterprise App Configuration Wizard. In this wizard, you can add an application to your tenant, add users/groups to the app, assign roles, as well as walk through the SSO configuration as well. Learn more about Microsoft 365 wizards.

Configure and test Azure AD SSO for Marketo

In this section, you configure and test Azure AD single sign-on with Marketo based on a test user called Britta Simon. For single sign-on to work, a link relationship between an Azure AD user and the related user in Marketo needs to be established.

To configure and test Azure AD single sign-on with Marketo, perform the following steps:

  1. Configure Azure AD SSO - to enable your users to use this feature.
    1. Create an Azure AD test user - to test Azure AD SSO with Britta Simon.
    2. Assign the Azure AD test user - to enable Britta Simon to use Azure AD SSO.
  2. Configure Marketo SSO - to configure the SSO settings on application side.
    1. Create Marketo test user - to have a counterpart of Britta Simon in Marketo that is linked to the Azure AD representation of user.
  3. Test SSO - to verify whether the configuration works.

Configure Azure AD SSO

Follow these steps to enable Azure AD SSO in the Azure portal.

  1. In the Azure portal, on the Marketo application integration page, find the Manage section and select single sign-on.

  2. On the Select a single sign-on method page, select SAML.

  3. On the Set up single sign-on with SAML page, click the pencil icon for Basic SAML Configuration to edit the settings.

    Edit Basic SAML Configuration

  4. On the Basic SAML Configuration section, enter the values for the following fields:

    a. In the Identifier text box, type the URL: https://saml.marketo.com/sp

    b. In the Reply URL text box, type a URL using the following pattern: https://login.marketo.com/saml/assertion/<munchkinid>

    c. In the Relay State text box, type a URL using the following pattern: https://<munchkinid>.marketo.com/


    These values are not real. Update these values with the actual Reply URL and Relay State. Contact Marketo Client support team to get these values. You can also refer to the patterns shown in the Basic SAML Configuration section in the Azure portal.

  5. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, click Download to download the Certificate (Base64) from the given options as per your requirement and save it on your computer.

    The Certificate download link

  6. On the Set up Marketo section, copy the appropriate URL(s) as per your requirement.

    Copy configuration URLs

Create an Azure AD test user

In this section, you'll create a test user in the Azure portal called B.Simon.

  1. From the left pane in the Azure portal, select Azure Active Directory, select Users, and then select All users.
  2. Select New user at the top of the screen.
  3. In the User properties, follow these steps:
    1. In the Name field, enter B.Simon.
    2. In the User name field, enter the username@companydomain.extension. For example, B.Simon@contoso.com.
    3. Select the Show password check box, and then write down the value that's displayed in the Password box.
    4. Click Create.

Assign the Azure AD test user

In this section, you'll enable B.Simon to use Azure single sign-on by granting access to Marketo.

  1. In the Azure portal, select Enterprise Applications, and then select All applications.
  2. In the applications list, select Marketo.
  3. In the app's overview page, find the Manage section and select Users and groups.
  4. Select Add user, then select Users and groups in the Add Assignment dialog.
  5. In the Users and groups dialog, select B.Simon from the Users list, then click the Select button at the bottom of the screen.
  6. If you are expecting a role to be assigned to the users, you can select it from the Select a role dropdown. If no role has been set up for this app, you see "Default Access" role selected.
  7. In the Add Assignment dialog, click the Assign button.

Configure Marketo SSO

  1. To automate the configuration within Marketo, you need to install My Apps Secure Sign-in browser extension by clicking Install the extension.

    My apps extension

  2. After adding extension to the browser, click on Set up Marketo will direct you to the Marketo application. From there, provide the admin credentials to sign into Marketo. The browser extension will automatically configure the application for you and automate steps 3-6.

    Setup configuration

  3. If you want to setup Marketo manually, in a different web browser window, sign in to your Marketo company site as an administrator.

  4. To get Munchkin ID of your application, perform the following actions:

    a. Log in to Marketo app using admin credentials.

    b. Click the Admin button on the top navigation pane.

    Configure Single Sign-On1

    c. Navigate to the Integration menu and click the Munchkin link.

    Configure Single Sign-On2

    d. Copy the Munchkin ID shown on the screen and complete your Reply URL in the Azure AD configuration wizard.

    Configure Single Sign-On3

  5. To configure the SSO in the application, follow the below steps:

    a. Log in to Marketo app using admin credentials.

    b. Click the Admin button on the top navigation pane.

    Configure Single Sign-On4

    c. Navigate to the Integration menu and click Single Sign On.

    Configure Single Sign-On5

    d. To enable the SAML Settings, click Edit button.

    Configure Single Sign-On6

    e. Enabled Single Sign-On settings.

    f. Paste the Azure AD Identifier, in the Issuer ID textbox.

    g. In the Entity ID textbox, enter the URL as http://saml.marketo.com/sp.

    h. Select the User ID Location as Name Identifier element.

    Configure Single Sign-On7


    If your User Identifier is not UPN value then change the value in the Attribute tab.

    i. Upload the certificate, which you have downloaded from Azure AD configuration wizard. Save the settings.

    j. Edit the Redirect Pages settings.

    k. Paste the Login URL in the Login URL textbox.

    l. Paste the Logout URL in the Logout URL textbox.

    m. In the Error URL, copy your Marketo instance URL and click Save button to save settings.

    Configure Single Sign-On8

  6. To enable the SSO for users, complete the following actions:

    a. Log in to Marketo app using admin credentials.

    b. Click the Admin button on the top navigation pane.

    Configure Single Sign-On9

    c. Navigate to the Security menu and click Login Settings.

    Configure Single Sign-On10

    d. Check the Require SSO option and Save the settings.

    Configure Single Sign-On11

Create Marketo test user

In this section, you create a user called Britta Simon in Marketo. follow these steps to create a user in Marketo platform.

  1. Log in to Marketo app using admin credentials.

  2. Click the Admin button on the top navigation pane.

    test user1

  3. Navigate to the Security menu and click Users & Roles

    test user2

  4. Click the Invite New User link on the Users tab

    test user3

  5. In the Invite New User wizard fill the following information

    a. Enter the user Email address in the textbox

    test user4

    b. Enter the First Name in the textbox

    c. Enter the Last Name in the textbox

    d. Click Next

  6. In the Permissions tab, select the userRoles and click Next

    test user5

  7. Click the Send button to send the user invitation

    test user6

  8. User receives the email notification and has to click the link and change the password to activate the account.

Test SSO

In this section, you test your Azure AD single sign-on configuration with following options.

  • Click on Test this application in Azure portal and you should be automatically signed in to the Marketo for which you set up the SSO

  • You can use Microsoft My Apps. When you click the Marketo tile in the My Apps, you should be automatically signed in to the Marketo for which you set up the SSO. For more information about the My Apps, see Introduction to the My Apps.

Next steps

Once you configure Marketo you can enforce session control, which protects exfiltration and infiltration of your organization’s sensitive data in real time. Session control extends from Conditional Access. Learn how to enforce session control with Microsoft Defender for Cloud Apps.