Skip to main content

Microsoft OAuth SSO Admin Approval Workflow

Andrew Woodall avatar
Written by Andrew Woodall
Updated over a year ago

When an organization wants to use Microsoft OAuth SSO to authenticate for the Agility app, it may be necessary for the organization's administrative team to approve/consent to allowing our app to access their Microsoft tenant.

Note that our implementation of SSO uses OAuth2.0 and OpenID Connect, not SAML. SAML support may be added in the future.

After a user requests approval, the IT team should perform the steps described below to allow access for our Microsoft OAuth SSO application.

  1. An email confirmation describing the original request. This should include:

    1. The username of the user who initiated the request

    2. Requester’s Organization (Agility PR Solutions)

    3. Requester’s app Agility

    4. The “justification” note provided during the request

    5. The request date and expiration

    6. A link to Review and approve the request

  2. The link to Review should bring the administrator to a screen where they can see more information about the app, including redirect urls that are currently registered

  3. Clicking through to the actual approval screen, the administrator will see a popup that outlines what information our app is attempting to access on the organization’s users.

  4. Once accepted, the organization will allow our app to access the information described for all users, and no other users will need to go through this process. SSO sign-in attempts will proceed as normal.

Stricter Security Settings

It is also possible that the Administrators of the organization may have stricter Security settings than the above. It may be necessary for the administrators to need to grant consent without an explicit request being made to the IT department. The user attempting to sign in may see a message similar to the below:

In this case, it is necessary to include IT in the initial set up, or manually request permission from the organizations administrators (as opposed to an automatic request being sent on behalf of the user attempting to sign in by Microsoft).

The administrators should then either:

  • Create a user group and add any users that should have access to that group, and then add users as needed (whenever a new user is added to our platform, that user must be added to the User Group created before access can be allowed)

  • Allow overall access from the tenant to the application

Related Articles
Agility Editorial Guidelines
Why do I get a message saying my account is already in use?
Enabling SSO on Your Agility Account
Did this answer your question?