---
title: "Microsoft Entra ID Setup (Formerly Azure AD)"
slug: "entra-id"
updated: 2025-10-29T22:58:21Z
published: 2025-10-29T22:58:21Z
canonical: "help.nucleussec.com/entra-id"
---

> ## Documentation Index
> Fetch the complete documentation index at: https://help.nucleussec.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Microsoft Entra ID Setup (Formerly Azure AD)

Important

          

If you are planning on enabling SSO for your Nucleus account, let your Nucleus account rep know so they can send you the relevant information required for setup on the Azure AD side. If you are setting up token encryption, inform your Nucleus support representative.

## Overview

The below steps will allow you to configure single sign-on with your Azure Active Directory Paid version. This is the recommended way of setting up your Azure AD for SSO with Nucleus.

This will allow you to enable your users to automatically sign-in to Nucleus for their Nucleus accounts. You'll also be able to control in your Active Directory who has access to Nucleus.

Nucleus has two options for setting up your Azure AD based on groups or based on roles. Choose the option below based on which pertains to your organization:

1. Setting up Azure AD with Groups
2. Setting up Azure AD for Roles

          Optional

          

Nucleus allows you to assign Nucleus roles based on a user's role or group in Azure AD so you can manage your user access from Azure. See '[Map SSO Roles](/docs/map-sso-rolesgroups-from-azure-ad-to-nucleus-role-project-combinations)' for the setup instructions for these advanced features.

You'll need an Azure AD subscription to follow the steps below. Note that these screenshots pertain to the newest Azure Portal.

## Option 1: Setting up Azure AD with Groups

Log into your office console and complete the following steps:

1. Click **Azure Active Directory** on the left side of the console, in the left-hand navigation menu.

![mceclip0 1.png](https://cdn.document360.io/3888970a-6501-459e-acc9-c47b71c6d64c/Images/Documentation/mceclip0%20%284%29.png)

1. Click **Enterprise Applications** in the left-hand navbar OR click **Find an enterprise app** on the dashboard.

![mceclip0 4.png](https://cdn.document360.io/3888970a-6501-459e-acc9-c47b71c6d64c/Images/Documentation/mceclip0%20%285%29.png)

OR

![mceclip1 3.png](https://cdn.document360.io/3888970a-6501-459e-acc9-c47b71c6d64c/Images/Documentation/mceclip1%20%283%29.png)

1. Click + **New Application**.
2. On the "Add an application" page, click **Non-gallery application**.

![mceclip3 1.png](https://cdn.document360.io/3888970a-6501-459e-acc9-c47b71c6d64c/Images/Documentation/mceclip3%20%281%29.png)

1. On the following page, enter in the following information, then click **Add**:

**Name**: A name to differentiate the application in your Azure.

![mceclip4 1.png](https://cdn.document360.io/3888970a-6501-459e-acc9-c47b71c6d64c/Images/Documentation/mceclip4%20%281%29.png)

1. On the following page, click **Single sign-on** in the lefthand navigation menu.
2. Click on **SAML**.
3. On the following page, enter in the following information, then click **Save**:

| Field | Info |
| --- | --- |
| Identifier (Entity ID) | This is going to be the name that AD uses to direct Nucleus login requests to the proper application |
| Reply URL | This is the url that you were given by your Nucleus support representative which is specific to your Nucleus instance. If you have not yet received this URL, please send an email to support@nucleussec.com. |

![image-20200824-142825 1.png](https://cdn.document360.io/3888970a-6501-459e-acc9-c47b71c6d64c/Images/Documentation/image-20200824-142825%20%281%29.png)

![image.png](https://cdn.document360.io/3888970a-6501-459e-acc9-c47b71c6d64c/Images/Documentation/image%28195%29.png)

1. Once you have saved the Basic SAML Configuration, scroll down the page until you get to Section 3, **SAML SIGNING CERTIFICATE**
2. Do the following in this section (Section 3):

- Copy the Thumbprint: You will need to send this to your nucleus support representative
- Download the Certificate(Base64): You will need to send this to your Nucleus representative

1. Once you have copied/downloaded the info from step 12, scroll down even further to the **Set up Application Name** and copy the following

- Copy the **Login URL**: You will need to send this to your Nucleus representative
- Copy the **Azure AD Identifier**: You will need to send this to your Nucleus support representative

1. Once you have all of the above, navigate to **Users and Groups** on the left-hand navbar:

![mceclip7.png](https://cdn.document360.io/3888970a-6501-459e-acc9-c47b71c6d64c/Images/Documentation/mceclip7.png)

1. Click + **Add user**
2. Add as many users or groups to the application as you would like.

          Note

          

These users will all be able to log into Nucleus.

1. Once you have added your users to the application, collect all your information which you need to send to your Nucleus representative to complete the SSO setup for you. You will need the following, which can all be found in the Single sign-on tab in the lefthand navbar:

![image-20200824-142825 2.png](https://cdn.document360.io/3888970a-6501-459e-acc9-c47b71c6d64c/Images/Documentation/image-20200824-142825%20%283%29.png)

- **SSO Domain**: The domain that user accounts belong to, usually the part after the @ sign.
- **Identifier (Entity ID)**: Needs to be copied
- **Thumbprint**: Needs to be copied
- **Certificate(Base64)**: Needs to be downloaded
- **Login URL**: Needs to be copied
- **Azure AD Identifier**: Needs to be copied
- **If you are using token encryption**: Affects how your Nucleus representative set ups SSO for you.

          Important: Domains are case insensitive

          

Any domains provided to Nucleus as part of the Entra ID setup process should be case insensitive. For example please use mydomain.com, not Mydomain.com

1. (For Azure Group Mapping) If you would like to use Azure AD groups to assign and manage Nucleus roles, use the following instructions:
  1. Navigate to **All Services**, then **App registrations**.
  2. Select the application you just created, then click the **Manifest** button.
  3. In the resulting **Edit manifest** page, modify the "groupMembershipClaims" field to read: **"ApplicationGroup"**. Then click **Save**. In the manifest this will appear as:

```
"groupMembershipClaims": "ApplicationGroup",
```

          Alternate Setting Value

          

If the number of groups assigned to users is not huge (under 50), following value can also be used:

```
"groupMembershipClaims": "All",
```

1. Once you send this info to your Nucleus representative, your SSO setup should be completed within 24 hours by a Nucleus support rep, who will respond to you via email confirming that SSO is complete.
2. If you are using token encryption, you will also need to set up encryption within Azure AD:
  1. Request the `.cer` certificate file and SSO URL for token encryption from your Nucleus representative.
  2. Log into Azure AD and navigate to your application.
  3. In the navigation bar on the left, under **Security**, select **Token encryption**.
  4. Click **Import Certificate**.
  5. Select the `.cer` certificate file provided by your Nucleus representative.
  6. Click **Add**.  

![azure-ad-add-certificate.png](https://cdn.document360.io/3888970a-6501-459e-acc9-c47b71c6d64c/Images/Documentation/azure-ad-add-certificate%281%29.png)
  7. Click the button with three dots ("**...**") to the far right of the certificate in the list of certificates.
  8. From the menu, select **Activate token encryption certificate**.
  9. In the navigation bar on the left, under **Manage**, select **Single sign-on**.
  10. Under **Basic SAML Configuration**, confirm the **Reply URL (Assertion Consumer Service URL)** includes the parameter "`?sso=`", which is required for token encryption. If the URL doesn't contain that parameter:
    1. Click the **Edit** button.
    2. In the **Reply URL (Assertion Consumer Service URL)** field, enter the new URL provided by your Nucleus representative in step **a**.
    3. Click **Save** at the top.  

![azure-ad-encrypted-sso-url.png](https://cdn.document360.io/3888970a-6501-459e-acc9-c47b71c6d64c/Images/Documentation/azure-ad-encrypted-sso-url%281%29.png)

## Option 2: Setting up Azure AD for Roles

Log into your Office Admin console and complete the following steps:

1. Click **Azure Active Directory** on the left side of the console, in the left-hand navigation menu.

![mceclip0 1.png](https://cdn.document360.io/3888970a-6501-459e-acc9-c47b71c6d64c/Images/Documentation/mceclip0%20%287%29.png)

1. Click **Enterprise Applications** in the left-hand navbar OR click **Find an enterprise app** on the dashboard.

![mceclip0 4.png](https://cdn.document360.io/3888970a-6501-459e-acc9-c47b71c6d64c/Images/Documentation/mceclip0%20%288%29.png)

OR

![mceclip1 3.png](https://cdn.document360.io/3888970a-6501-459e-acc9-c47b71c6d64c/Images/Documentation/mceclip1%20%285%29.png)

1. Click + **New Application**.

![mceclip2 1.png](https://cdn.document360.io/3888970a-6501-459e-acc9-c47b71c6d64c/Images/Documentation/mceclip2%20%282%29.png)

1. On the "Add an application" page, click **Non-gallery application**.

![mceclip3 1.png](https://cdn.document360.io/3888970a-6501-459e-acc9-c47b71c6d64c/Images/Documentation/mceclip3%20%282%29.png)

1. On the following page, enter in the following information, then click **Add**:

**Name**: A name to differentiate the application in your Azure.

![mceclip4 1.png](https://cdn.document360.io/3888970a-6501-459e-acc9-c47b71c6d64c/Images/Documentation/mceclip4%20%282%29.png)

1. On the following page, click **Single sign-on**  in the lefthand navigation menu.

![mceclip5 1.png](https://cdn.document360.io/3888970a-6501-459e-acc9-c47b71c6d64c/Images/Documentation/mceclip5%20%281%29.png)

1. Click on **SAML**.
2. On the following page, enter in the following information, then click **Save**:

| Field | Info |
| --- | --- |
| Identifier (Entity ID) | This is going to be the name that AD uses to direct Nucleus login requests to the proper application |
| Reply URL | This is the url that you were given by your Nucleus support representative which is specific to your Nucleus instance. If you have not yet received this URL, please send an email to support@nucleussec.com. |

![mceclip0 5.png](https://cdn.document360.io/3888970a-6501-459e-acc9-c47b71c6d64c/Images/Documentation/mceclip0%20%2810%29.png)

1. If you would like to use Azure AD roles to assign Nucleus roles, use the following instructions:
2. Navigate to **All Services**, then **App registrations**.
3. Select the application you just created, then click the Manifest button.
4. In the resulting Edit manifest page, modify the "groupMembershipClaims" field to read: "All". Then click Save.
5. Create your roles in the manifest for the enterprise app you just created using the following resource, (section 6h): https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-enterprise-app-role-management
  - Once you have completed section h, please click Save on the manifest.
  - Close the Microsoft Help Center Article

An example manifest is shown here (Admin is the role which we created):

![mceclip1 5.png](https://cdn.document360.io/3888970a-6501-459e-acc9-c47b71c6d64c/Images/Documentation/mceclip1%20%286%29.png)

1. Once you have successfully created the roles for the enterprise application, navigate to **Enterprise Applications > Nucleus Application you just created > Single Sign-on**, then scroll down the page until you get to Section 2, **User Attributes & Claims**.
2. Click on the edit (pencil) icon in Section 2, **User Attributes & Claims**.

![mceclip1 6.png](https://cdn.document360.io/3888970a-6501-459e-acc9-c47b71c6d64c/Images/Documentation/mceclip1%20%288%29.png)

1. Click **Add new claim**, then enter the following information, and click **Save**:

- **Name:** role
- **Source attribute:** user.assignedroles

![mceclip0 6.png](https://cdn.document360.io/3888970a-6501-459e-acc9-c47b71c6d64c/Images/Documentation/mceclip0%20%2811%29.png)

1. Once you have saved the Basic SAML Configuration, scroll down the page until you get to Section 3, **SAML SIGNING CERTIFICATE**
2. Do the following in this section:

- **Copy the Thumbprint:** You will need to send this to your nucleus support representative
- **Download the Certificate(Base64):** You will need to send this to your Nucleus representative

1. Once you have copied/downloaded the info from step 12, scroll down even further to the **Set up Application Name** and copy the following:

- **Copy the Login URL:** You will need to send this to your Nucleus representative
- **Copy the Azure AD Identifier:** You will need to send this to your Nucleus support representative

1. Once you have all of the above, navigate to **Users and Groups** on the left-hand navbar:

![mceclip7.png](https://cdn.document360.io/3888970a-6501-459e-acc9-c47b71c6d64c/Images/Documentation/mceclip7%281%29.png)

1. Click **+ Add user**
2. Add as many users or groups to the application as you would like.

          Note

          

These users will all be able to log into Nucleus.

Select the roles for each user that you created in step 9. You can assign each group or user a role in the application from this screen. For the example we gave in step 9, you could assign a user the "Admin" role, which will be passed in the SAML response to Nucleus.

![mceclip8.png](https://cdn.document360.io/3888970a-6501-459e-acc9-c47b71c6d64c/Images/Documentation/mceclip8.png)

1. Once you have added your users to the application, collect all your information which you need to send to your Nucleus representative to complete the SSO setup for you. You will need the following, which can all be found in the Single sign-on tab in the lefthand navbar:

![image-20200824-142825 1.png](https://cdn.document360.io/3888970a-6501-459e-acc9-c47b71c6d64c/Images/Documentation/image-20200824-142825%20%282%29.png)

- **Identifier (Entity ID):** Needs to be copied
- **Thumbprint:** Needs to be copied
- **Certificate(Base64):** Needs to be downloaded
- **Login URL:** Needs to be copied
- **Azure AD Identifier:** Needs to be copied
- 
  - **If you are using token encryption**: Affects how your Nucleus representative set ups SSO for you.

1. Once you send this info to your Nucleus representative, your SSO setup should be completed within 24 hours by a Nucleus support rep, who will respond to you via email confirming that SSO is complete.
2. If you are using token encryption, you will also need to set up encryption within Azure AD:
  1. Request the `.cer` certificate file and SSO URL for token encryption from your Nucleus representative.
  2. Log into Azure AD and navigate to your application.
  3. In the navigation bar on the left, under **Security**, select **Token encryption**.
  4. Click **Import Certificate**.
  5. Select the `.cer` certificate file provided by your Nucleus representative.
  6. Click **Add**.  

![azure-ad-add-certificate.png](https://cdn.document360.io/3888970a-6501-459e-acc9-c47b71c6d64c/Images/Documentation/azure-ad-add-certificate%281%29.png)
  7. Click the button with three dots ("**...**") to the far right of the certificate in the list of certificates.
  8. From the menu, select **Activate token encryption certificate**.
  9. In the navigation bar on the left, under **Manage**, select **Single sign-on**.
  10. Under **Basic SAML Configuration**, confirm the **Reply URL (Assertion Consumer Service URL)** includes the parameter "`?sso=`", which is required for token encryption. If the URL doesn't contain that parameter:
    1. Click the **Edit** button.
    2. In the **Reply URL (Assertion Consumer Service URL)** field, enter the new URL provided by your Nucleus representative in step **a**.
    3. Click **Save** at the top.  

![azure-ad-encrypted-sso-url.png](https://cdn.document360.io/3888970a-6501-459e-acc9-c47b71c6d64c/Images/Documentation/azure-ad-encrypted-sso-url%281%29.png)

If you used AD groups or roles within your SSO setup, please refer to the [SSO Mapping Page](/v1/docs/map-sso-rolesgroups-from-azure-ad-to-nucleus-role-project-combinations) for instructions on how to map your user groups and roles from AD to Nucleus.