Configuring Entra ID SSO for ClientOne (MSP guide)

This guide is for MSP engineers who need to set up Microsoft Entra ID (Azure AD) sign-in for end users in ClientOne (the client-facing app at app.clientone.dev or a custom ClientOne origin). Each client can have their own Entra tenant; you will create one app registration per client (or work with the client's IT to obtain the values).

This document is for end-user Entra sign-in in ClientOne (per client’s tenant), configured in Portal Admin per client. It is not the same as Settings → SSO in PanelOne, which is for your MSP’s staff using Entra to sign in to the MSP app.

---

Overview

• Flow: The user enters their work email on the ClientOne login page. If the domain matches a configured client, they are redirected to that client's Entra ID to sign in; after success, they are signed into ClientOne.
• Access: Invite required. End users must have a pending or accepted invite for that client before SSO will complete.
• Redirect URI: The PanelOne callback URL must be added to the client's Entra app registration. Use the exact URL shown in Portal Admin when you configure SSO for that client.

---

Step 1: Create an app registration in the client's Entra tenant

The client's IT admin (or you, with appropriate access) should:

1. In Microsoft Entra admin center (or Azure Portal → Microsoft Entra ID), go to App registrations → New registration.
2. Name: e.g. PanelOne ClientOne (or a name your client approves; this appears on the consent experience).
3. Supported account types: Accounts in this organizational directory only (Single tenant).
4. Redirect URI:
   • Type: Web
   • URL: https://<your-supabase-project>.supabase.co/functions/v1/auth-entra-callback
     Replace <your-supabase-project> with your Supabase project reference. The exact URL is shown in PanelOne under Portal Admin → Portal Configuration → SSO for the client.
5. Click Register.

---

Step 2: Record application and directory IDs

After creation:

• Application (client) ID — copy this.
• Directory (tenant) ID — copy this (this is the Entra tenant ID).

---

Step 3: Create a client secret

1. Go to Certificates & secrets → New client secret.
2. Add a description (e.g. ClientOne sign-in) and choose an expiry.
3. Copy the Value of the secret immediately (it is shown only once). Store it securely; you will enter it in PanelOne.

---

Step 4: Configure authentication

1. Go to Authentication.
2. Under Redirect URIs, ensure the callback URL from step 1 is listed.
3. Under Implicit grant and hybrid flows, ensure ID tokens are enabled for the flow PanelOne uses (authorization code with ID token).
4. Save.

---

Step 5: API permissions

1. Go to API permissions → Add a permission.
2. Choose Microsoft Graph (or OpenID Connect as applicable).
3. Add Delegated permissions: openid, profile, email.

These are sufficient for sign-in and reading the user's profile and email.

---

Step 6: Provide values to PanelOne

In PanelOne:

1. Go to Portal Admin → Portal Configuration.
2. Enable ClientOne for the client if not already enabled.
3. Click SSO for that client.
4. Enter:
   • Entra tenant ID — directory (tenant) ID from step 2.
   • Primary domain — the client's primary email domain (e.g. contoso.com). Users whose email uses that domain will be offered Entra sign-in.
   • Application (client) ID — from step 2.
   • Client secret — the value from step 3.
5. The redirect URI shown in PanelOne is read-only; it must match what you added in Entra.
6. Optionally enable Enforce SSO only and add Break-glass emails (addresses that can still use password when SSO is enforced).
7. Save.

---

Checklist per client

• App registration created in the client's Entra tenant (single tenant).
• Redirect URI set to https://<project>.supabase.co/functions/v1/auth-entra-callback (and matches Portal Admin).
• Application (client) ID and directory (tenant) ID recorded.
• Client secret created and value stored securely.
• API permissions include openid, profile, email.
• Portal Admin → Portal Configuration → SSO completed and saved for this client.
• Test: send an invite, then have the end user open ClientOne, choose work email, and complete Entra sign-in.

---

Notes

• Conditional Access / MFA: Policies in the client's Entra tenant apply to this sign-in.
• Secrets: Stored per client; rotate in Entra and update PanelOne when needed.
• Break-glass: When "Enforce SSO only" is on, only the listed break-glass emails can sign in with a password; everyone else must use Entra.

Related

• ClientOne — What end users see
• Portal Admin — Invites, branding, and per-client configuration