> ## Documentation Index
> Fetch the complete documentation index at: https://docs.tuple.app/llms.txt
> Use this file to discover all available pages before exploring further.
# Microsoft Entra ID
> How to configure SAML SSO with Microsoft Entra ID (Azure AD) for your Tuple team
export const provider_1 = "Microsoft Entra ID"
export const children_0 = undefined
export const provider_0 = "Microsoft Entra ID"
This guide walks through configuring SAML SSO with Microsoft Entra ID (formerly Azure AD) as your identity provider.
Email addresses in {provider_0} and Tuple must match exactly. For example, `dev+tuple@company.com` does not match `dev@company.com`. Verify your team's email addresses before enabling SSO.
Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a Cloud Application Administrator.
Navigate to **Identity > Applications > Enterprise applications** and click **New application**. Then click **Create your own application**.
Enter "Tuple" as the application name, select **Integrate any other application you don't find in the gallery (Non-gallery)**, and click **Create**.
Before configuring SSO, assign the users who need access to Tuple. In your new Tuple application, go to **Users and groups** and add the users or groups that should have SSO access.
In your Tuple application, navigate to **Single sign-on** in the left sidebar and select **SAML** as the sign-on method.
Click **Edit** on the **Basic SAML Configuration** card and fill in the following fields:
**Identifier (Entity ID)**
```
https://production.tuple.app/users/saml/metadata
```
**Reply URL (Assertion Consumer Service URL)**
```
https://production.tuple.app/users/saml/auth
```
Click **Save**.
Click **Edit** on the **Attributes & Claims** card. Add two custom claims so Tuple receives the user's first and last name.
Click **Add new claim** and create each of the following:
| Name | Source attribute |
| ------------ | ---------------- |
| `first_name` | `user.givenname` |
| `last_name` | `user.surname` |
Leave the **Namespace** field empty for both claims.
Tuple also reads `email` from the SAML response. The default claim for email address mapped to `user.mail` works automatically -- no changes needed.
On the **SAML Certificates** card, download the **Certificate (Base64)** file.
Then, in the **Set up Tuple** card, copy the following values:
* **Login URL** -- this is your IdP authentication URL
* **Microsoft Entra Identifier** -- this is your IdP entity ID
Navigate to the **Settings** tab of the [team management dashboard](https://production.tuple.app/team_management/settings).
Only [team owners](/team-management/team-owner-and-managers) can enable SAML. To find out who your team owner is, check [your profile](https://production.tuple.app/profile#team).
Under **Sign-in methods**, set **Required Authentication Provider** to **SAML SSO**. The **Update SAML Configuration** form appears:
Fill in the values with your {provider_1} metadata:
{children_0}
Select the **Email Domain** that SAML should apply to. Only domains with confirmed team members are available.
Click **Save as draft**. Your draft is saved as a **Pending Update** alongside your current sign-in method, so no one on your team is affected yet.
Click **Test** to verify the configuration end-to-end. Tuple signs you in through {provider_1} so you can confirm that authentication succeeds before the change affects anyone else on your team.
Once the test succeeds, click **Publish** to make the configuration live. Active Tuple sessions persist, but new sign-ins are routed through {provider_1}.
Use **Edit** to tweak the draft, or **Discard** to throw it away without publishing.