# Using Microsoft 365 ### Setting Up Single Sign-On (SSO) with Microsoft 365 for emSigner #### Overview emSigner supports **Single Sign-On (SSO) using Microsoft 365 (Azure Active Directory / Microsoft Entra ID)** to enable secure, centralized user authentication. With SSO enabled, users can log in to emSigner using their existing Microsoft 365 credentials, eliminating the need for separate passwords and improving security and user experience. *** #### Prerequisites Before configuring Microsoft 365 SSO for emSigner, ensure the following: * An active **Microsoft 365 tenant** with administrative access * **Microsoft Entra ID (Azure AD)** admin privileges * A verified **email domain** in Microsoft 365 that matches emSigner user accounts * SSO enabled for your organization in emSigner by the emSigner support or onboarding team *** #### Supported SSO Protocol emSigner supports **SAML 2.0–based SSO** with Microsoft Entra ID. *** #### Configuration Steps **Step 1: Create an Enterprise Application in Microsoft Entra ID** 1. Sign in to the **Microsoft Entra Admin Center**. 2. Navigate to **Enterprise Applications** → **New Application**. 3. Select **Create your own application**. 4. Name the application (for example, *emSigner SSO*). 5. Choose **Integrate any other application you don’t find in the gallery (Non-gallery)**. *** **Step 2: Configure SAML-Based Sign-On** 1. Open the newly created Enterprise Application. 2. Go to **Single sign-on** → select **SAML**. 3. In **Basic SAML Configuration**, configure the following values (to be provided by emSigner): * **Identifier (Entity ID)** * **Reply URL (Assertion Consumer Service URL)** * **Sign-on URL** (if applicable) > These values are environment-specific (region and data residency zone) and must be obtained from emSigner. *** **Step 3: Configure User Attributes & Claims** 1. In **User Attributes & Claims**, ensure the following: * **NameID** is set to the user’s **email address** * Format: `emailAddress` 2. The email claim must match the **primary email identifier** used in emSigner. *** **Step 4: Download Federation Metadata** 1. From the **SAML Signing Certificate** section, download the **Federation Metadata XML**. 2. Share this metadata with the emSigner support or onboarding team. *** **Step 5: Assign Users or Groups** 1. In the Enterprise Application, navigate to **Users and Groups**. 2. Assign: * Individual users, or * Microsoft Entra ID groups (recommended for large organizations) Only assigned users will be able to access emSigner using SSO. *** #### emSigner Configuration Once Microsoft 365 configuration is complete: * emSigner will validate the metadata and enable SSO for your tenant. * Authentication policies will be mapped to your organization. * Optional controls such as **mandatory SSO**, **conditional access**, or **MFA enforcement** may be applied. *** #### User Login Experience After SSO is enabled: 1. User enters their **email address** on the emSigner login page. 2. emSigner detects that Microsoft 365 SSO is configured. 3. The user is redirected to the Microsoft login page. 4. Upon successful authentication, the user is logged in to emSigner automatically. *** #### Security & Compliance Notes * emSigner does **not store Microsoft passwords**. * Authentication is handled entirely by Microsoft Entra ID. * Microsoft-configured security controls such as **MFA**, **Conditional Access**, and **device policies** continue to apply. * All login events are captured in emSigner audit logs. *** #### Troubleshooting **User is not redirected to Microsoft login** * Ensure SSO is enabled for the organization in emSigner. * Verify that user’s email domain matches the configured Microsoft tenant. **Login fails after Microsoft authentication** * Confirm that the email attribute is correctly mapped. * Ensure that the user is assigned to the Enterprise Application. **Access denied** * Check Microsoft Conditional Access or MFA policies. *** #### Need Assistance? For environment-specific URLs, metadata validation, or enabling Microsoft 365 SSO for your tenant, please contact emSigner Support or raise a support ticket through the Support Portal.