---
title: "Entra ID (Azure AD) 3rd party authentication"
slug: "entra-id-azure-ad-3rd-party-authentication"
description: "In order to login to NordLayer apps or Control Panel, users can authenticate their identity via Azure AD SSO."
updated: 2025-10-02T10:35:56Z
published: 2025-10-02T10:35:56Z
---

> ## Documentation Index
> Fetch the complete documentation index at: https://help.nordlayer.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Entra ID (Azure AD) 3rd party authentication

To streamline access to NordLayer apps and the Control Panel, you can integrate Entra ID (Azure AD) single sign-on (SSO). Here's a step-by-step guide to setting it up.

## Prerequisites for Entra ID (Azure AD) SSO

1. Log in to your **Entra ID Panel** and navigate to the **App registrations** section
2. Click **New registration** and name it **NordLayer**
3. Select supported account types and click **Register**
4. In the API permissions tab, click **Add a permission**, select **Microsoft Graph**, and choose **Delegated permissions**.
5. Select **profile** and click **Add permissions**
6. Click **Grant admin consent for NordLayer**

### Ensuring matching claims configuration for Entra ID (Azure AD) and NordLayer

When configuring Entra ID (Azure AD) SSO, it's important to ensure that the claims you select on the Entra ID (Azure AD) side match exactly with the claims you choose on the NordLayer side. 

Mismatches can cause issues where Azure AD automatically transmits claims that you haven't selected. 

Depending on what claims you want you must do the following configuration:

**If you want to use SSO with only email**:

* **Entra ID**: Grant profile permission.
* **NordLayer**: Select email claim.

**If you want to use SSO with only UPN**:

* **Entra ID**: Grant profile permission, go into **Token configuration**, click **Add optional claim**, select **Token type ID**, select upn and click **Add**.
* **NordLayer**: Select **UPN** claim.

**If you want to use SSO with both email and UPN**:

* **Entra ID**: Grant **profile** permission, go into **Token configuration**, click **Add optional claim**, select **Token type ID**, select upn and click **Add**.
* **NordLayer**: Select **UPN** and **email** claims.

### Enabling authentication

1. In the **Authentication** section, **Add a platform** and choose **Web**.
2. Enter the **Redirect URL**: 
```
https://auth.nordlayer.com/v1/tokens/oauth/resolution
``` 
(*optional: check Access/ID tokens under Implicit grant*) and save changes by clicking **Configure** at the bottom
3. In the **Overview** section, copy and store securely the **Application (client) ID** and **Directory (Tenant) ID**.
4. Under **Certificates & secrets**, select **Client secrets** and click **New client secret**. Then, save the **Generated Client Secret Value** (shown only once).

### Configure Entra ID (Azure AD) on NordLayer

1. Log in to the **NordLayer Control Panel** and head to Settings and select [Login methods](https://cp.nordlayer.com/settings/login-methods/).
2. Choose **Entra ID (Azure AD)**.
3. Enter the three values collected from Entra ID:
* Application (client) ID
* Directory (Tenant) ID
* Generated Client Secret Value

![Settings - Login methods - Entra ID.png](https://cdn.document360.io/fc1049cd-8f71-4b89-b9b8-dbca9fdcdd16/Images/Documentation/Settings%20-%20Login%20methods%20-%20Entra%20ID.png){height="" width=""}

4. Submit the information to enable SSO by clicking **Save**.

:::(Info) (Note)

* You can update your claims at any time without disabling SSO
* If both **UPN** and **Email** claims are selected, the system will read both during the SSO process and attempt to match a member with either claim. The first match found will be used to log in.
* We recommend including UPNs in your selection, especially if Azure provisioning is used.
* Multiple SSO methods can be enabled
* You can remove email & password authentication, leaving SSO as the sole login option

:::

Other available SSO providers include Google, JumpCloud, Okta, and OneLogin. You can set them up in the Control Panel by following these guides:

* [Google SSO 3rd party authentication](https://help.nordlayer.com/docs/google-3rd-party-authentication)
* [JumpCloud 3rd party authentication](https://help.nordlayer.com/docs/jumpcloud-3rd-party-authentication)
* [Okta 3rd party authentication](https://help.nordlayer.com/docs/okta-3rd-party-authentication)
* [OneLogin 3rd party authentication](https://help.nordlayer.com/docs/sso-onelogin-3rd-party-authentication)


* * *


**Note**: In case you have any questions or are experiencing any issues, please feel free to contact our [24/7 customer support team](/docs/how-do-i-contact-nordlayer-customer-support).