Single Sign-On with Microsoft Entra ID
Without single sign-on, every Pactly user is one more password your organization has to provision, reset, and revoke by hand. When someone leaves, their Pactly account lingers until an admin remembers to deactivate it.
Single sign-on (SSO) hands authentication to Microsoft Entra ID (formerly Azure AD). Users sign in with their existing Microsoft credentials, accounts can be created and removed automatically, and one identity covers both the Pactly web app and the Pactly Word Plugin.
Before you start
Section titled “Before you start”SSO settings live in the left menu under Account settings → SSO. The section is available to admins on accounts where the integrations capability is enabled.
You also need:
- Verified, locked domains. SSO applies to email domains your company has verified and locked in Account settings → Company. Verify and lock the relevant domains first, or only existing users will be able to sign in with SSO. See Verify and lock your domains.
- Access to your Azure portal, if you plan to use your own app registration (most enterprise setups do).
Step 1: Turn on SSO and set the button label
Section titled “Step 1: Turn on SSO and set the button label”- Go to Account settings → SSO.
- Switch the toggle from SSO Disabled to SSO Enabled.
- In Display Name, enter the text users will see on the sign-in button, for example
Microsoftor your company name. - Click Save.
Once SSO is enabled, Pactly shows whether your verified domains are covered. If no domains are locked yet, you’ll see a reminder that only existing users can use SSO until domains are verified and locked.
Step 2: Choose an app registration
Section titled “Step 2: Choose an app registration”Pactly connects to Entra ID through an Azure app registration. Under App Registration, you choose which one.
Use Pactly’s multi-tenant app
Section titled “Use Pactly’s multi-tenant app”The simpler path. You point Pactly at your tenant and consent to Pactly’s pre-built app. No secret to manage.
- Leave the toggle on Use Pactly’s multi-tenant app.
- Enter your Tenant ID (the Directory (tenant) ID from the Azure portal).
- Click Save.
If admin consent for Pactly’s app has not yet been granted in your tenant, contact support, who will provide the consent link.
Use a custom Azure AD app
Section titled “Use a custom Azure AD app”Full control. You register your own app in Azure and supply its credentials. Required when your security policy mandates a self-managed app registration.
- Switch the toggle to Use custom Azure AD app.
- Enter the Tenant ID and Client ID from your Azure app registration.
- Enter the Client Secret value you generated in Azure.
- Optionally set the Client Secret Expiry Date so Pactly can warn you before it lapses (see below).
- Click Save.
Azure client secrets expire on the date you set in the Azure portal, and SSO stops working when one lapses, locking out users on SSO-only domains until you enter a new one. Record the Client Secret Expiry Date so Pactly emails warnings at 2 months, 1 month, and 2 weeks before expiry, then rotate the secret in Azure and enter the new value before it does. The Client Secret field shows when a secret is already configured; enter a new value only when rotating it.
When you use a custom app, Pactly also shows an Azure AD Setup Guide box. It walks through adding the given_name, family_name, and email optional claims to your app’s token configuration so user names sync correctly, and lists the redirect URI your app needs (your Pactly API host followed by /oidc/callback).
Step 3: Decide on password fallback
Section titled “Step 3: Decide on password fallback”Under the main SSO box, the Allow password login as fallback toggle controls whether users on your locked domains can still sign in with a Pactly password:
- Allow password login as fallback: users can choose SSO or password.
- SSO only (no password fallback): users on locked domains must use SSO; password login is disabled for them.
Step 4: Provision users automatically
Section titled “Step 4: Provision users automatically”Found under User Provisioning, Pactly offers two ways to create and remove accounts without manual admin work. They are independent, and you can use either or both.
Just-In-Time (JIT) provisioning
Section titled “Just-In-Time (JIT) provisioning”JIT creates a Pactly account the first time a new person signs in through SSO, so you don’t pre-create users.
- Switch Just-In-Time provisioning to enabled.
- Set the Default Role new users receive on first sign-in (User, Manager, Approver, Lite, Viewer, or Requester).
- Click Save.
Everyone who signs in for the first time lands with this role, so set it to what your typical user should have. You can change individuals afterward in User management.
SCIM 2.0 provisioning and deprovisioning
Section titled “SCIM 2.0 provisioning and deprovisioning”SCIM lets Entra ID push user changes to Pactly directly: it creates accounts when you assign the Pactly enterprise app to someone, and deactivates them when you unassign or offboard the person. This is how you make sure leavers lose Pactly access automatically.
- Switch SCIM 2.0 provisioning to enabled.
- Copy the SCIM Endpoint URL shown, and paste it into the provisioning settings of the Pactly enterprise application in Azure AD.
- Click Generate Token to create a SCIM Bearer Token, then copy it into the same Azure provisioning settings.
- Click Save.
What users see when they sign in
Section titled “What users see when they sign in”Pactly’s sign-in is email-first: the user enters their email, and Pactly then routes them to the right method based on their domain.
SSO route Optional MFA · the same sign-in covers the web app and the Pactly Word Plugin; the one-time code is multi-factor authentication, not a passwordless login
If their domain is set up for SSO, Pactly routes them to the button labeled with your Display Name instead of asking for a password. When you leave Allow password login as fallback on, users on those domains can still reach a Pactly password from the SSO screen; only SSO only removes that option. The same sign-in covers the Pactly web app and the Pactly Word Plugin, which opens a Microsoft sign-in popup and returns to the add-in once authenticated.
For the end-user sign-in experience, see Signing in to Pactly.
API keys and webhooks
Section titled “API keys and webhooks”SSO governs how people sign in. For programmatic access (API keys, webhooks), see the Pactly developer documentation. Those are configured separately and are not part of SSO.
Related
Section titled “Related”Chat with us
We typically reply within a few minutes