Set up a SAML 2.0 provider with Microsoft Entra ID

Microsoft Entra is one of the SAML 2.0 identity providers you can use to authenticate visitors to your Power Pages site. You can use any provider that conforms to the SAML 2.0 specification.

This article describes the following steps:


Changes to your site's authentication settings might take a few minutes to be reflected on the site. To see the changes immediately, restart the site in the admin center.

Set up Microsoft Entra in Power Pages

Set Microsoft Entra as an identity provider for your site.

  1. In your Power Pages site, select Set up > Identity providers.

    If no identity providers appear, make sure External login is set to On in your site's general authentication settings.

  2. Select + New provider.

  3. Under Select login provider, select Other.

  4. Under Protocol, select SAML 2.0.

  5. Enter a name for the provider; for example, Microsoft Entra ID.

    The provider name is the text on the button that users see when they select their identity provider on the sign-in page.

  6. Select Next.

  7. Under Reply URL, select Copy.

    Don't close your Power Pages browser tab. You'll return to it soon.

Create an app registration in Azure

Create an app registration in the Azure portal with your site's reply URL as the redirect URI.

  1. Sign in to the Azure portal.

  2. Search for and select Azure Active Directory.

  3. Under Manage, select App registrations.

  4. Select New registration.

  5. Enter a name.

  6. Select one of the Supported account types that best reflects your organization requirements.

  7. Under Redirect URI, select Web as the platform, and then enter the reply URL of your site.

    • If you're using your site's default URL, paste the reply URL you copied.
    • If you're using a custom domain name, enter the custom URL. Be sure to use the same custom URL for the assertion service consumer URL in the settings for the identity provider on your site.
  8. Select Register.

  9. Select Endpoints at the top of the page.

  10. Find the Federation metadata document URL and select the copy icon.

  11. In the left side panel, select Expose an API.

  12. To the right of Application ID URI, select Add.

  13. Enter your site URL as the App ID URI.

  14. Select Save.

  15. In a new browser tab, paste the federation metadata document URL you copied earlier.

  16. Copy the value of the entityID tag in the document.

Enter site settings in Power Pages

Return to the Power Pages Configure identity provider page you left earlier and enter the following values. Optionally, change the additional settings as needed. Select Confirm when you're finished.

  • Metadata address: Paste the federation metadata document URL you copied.

  • Authentication type: Paste the entityID value you copied.

  • Service provider realm: Enter your site's URL.

  • Assertion service consumer URL: If your site uses a custom domain name, enter the custom URL; otherwise, leave the default value, which should be your site's reply URL. Be sure the value is exactly the same as the redirect URI of the application you created.

Additional settings in Power Pages

The additional settings give you finer control over how users authenticate with your SAML 2.0 identity provider. You don't need to set any of these values. They're entirely optional.

  • Validate audience: Turn on this setting to validate the audience during token validation.

  • Valid audiences: Enter a comma-separated list of audience URLs.

  • Contact mapping with email: This setting determines whether contacts are mapped to a corresponding email address when they sign in.

    • On: Associates a unique contact record with a matching email address and automatically assigns the external identity provider to the contact after the user successfully signs in.
    • Off

See also

Set up a SAML 2.0 provider
Set up a SAML 2.0 provider with AD FS