<span id="top"></span>

Configuring Microsoft Entra ID (Azure AD) SSO

This guide outlines the steps to configure Single Sign-On (SSO) with Microsoft Entra ID (Azure AD) for Qualified. Follow these instructions to streamline authentication for your users and enhance security.

• Prerequisites
• Steps to Configure Microsoft Entra ID SSO
• Enable SCIM Provisioning (Optional)
• Binding Email Process for Existing Users
• Adding New Users
• Disconnecting SSO

<span id="prerequisites"></span>

Prerequisites

1. A Microsoft Entra subscription and at least the Cloud Application Administrator role.
2. Access to Qualified’s Enterprise Single Sign-On and the Admin user role.
3. Your organization’s Company ID from Qualified.
4. A basic understanding of SAML 2.0 configuration.

Back to Top

<span id="steps-to-configure"></span>

Steps to Configure Microsoft Entra ID SSO

Step 1: Set up in Qualified

1. Log in to your Qualified Admin account.
2. Navigate to Settings → Organization → Single Sign-On.
3. Select Azure AD (SAML 2.0) from the dropdown menu.
4. Copy your Company ID.

5. Create your SAML Assertion Consumer Service (ACS) URL and store it somewhere temporarily to be used in a later step below: https://app.qualified.com/auth/saml/[PASTE_YOUR_COMPANY_ID_HERE]

Step 2: Configure in Microsoft Entra

1. Sign in to the Microsoft Entra admin center with at least a Cloud Application Administrator role. 
2. Create a new enterprise app for Qualified
   • Navigate to Identity → Applications → Enterprise applications.
   • Select New application and click Create your own application.
   • Name the app “Qualified”, select Integrate any other application you don’t find in the gallery (Non-gallery), then click Create.
3. Once created, use the image below for the app’s logo:

4. Assign yourself as a user for the application.
5. Configure Single Sign-On:
   • Select SAML as the SSO method.
   • In Basic SAML Configuration, enter
     • Identifier (Entity ID): https://app.qualified.com
     • Reply URL (ACS URL): Your custom SAML ACS URL with the Company ID from Qualified: https://app.qualified.com/auth/saml/[PASTE_YOUR_COMPANY_ID_HERE]
   • Save your configuration.
6. Configure Attributes & Claims:
   • Delete default attributes except Unique User Identifier (Name ID).
   • Add new claims:
     • first_name: user.givenname
     • last_name: user.surname
     • saml_id: user.objectid

• Save your configuration.

7. Under SAML Signing Certificate, copy the App Federation Metadata URL.

Microsoft Entra documentation: Add an Enterprise Application & Create your own Application.

Step 3: Finalize SSO in Qualified

1. Return to Settings → Organization → Single Sign-On in Qualified.
2. Paste the App Federation Metadata URL into the required field.
3. Click Save and then Verify Configuration to test the connection.
   •  If you encounter issues during verification, such as a failed connection or mismatch errors, double-check that the metadata URL matches exactly with the one provided in Microsoft Entra.
4. Assign all existing Qualified users access to the new Qualified application in Microsoft Entra before enabling SSO (See: Binding Email Process for Existing Users)
5. When ready, click Enable single sign-on for this org.

Back to Top

<span id="enable-scim-provisioning"></span>

Enable SCIM Provisioning (Optional)

SCIM provisioning automates user creation, updates, and deactivation directly from Microsoft Entra. This step is optional but highly recommended for efficient user management.

Supported Provisioning Features

The following provisioning features are supported within Qualified provisioning of SSO users:

• Push New Users: New users created through Microsoft Entra ID will also be created in the third-party application.
  • When a user is provisioned, their name, role, phone number, email, and timezone from Azure are synced to Qualified. Further updates are limited to email and role changes only.
• Push Profile Updates: Updates made to a user's email or role in Microsoft Entra are pushed to Qualified.
• Push User Deactivation: Deactivating a user or disabling their access to the Qualified application in Microsoft Entra will deactivate the user in Qualified.
  • Deactivation removes login access but retains the user's information in Qualified as inactive.
• Reactivate Users: User accounts can be reactivated in Qualified via Microsoft Entra ID.

Unsupported Provisioning Features

The following features are not supported:

• Import Users
• Import/Push Groups
• Sync Password
• Profile Sourcing

Steps to Enable SCIM Provisioning

Step 1: In Microsoft Entra, create App Roles for the Qualified application:

1. Sign in to the Microsoft Entra admin center. 
2. Navigate to Identity → Applications → App registrations and select the Qualified application.
3. Under Manage, select App roles and then click Create app role.

4. In the Create app role pane, configure the following roles:
   • Display Name: Qualified Admin, Qualified Rep, Qualified Meetings
   • Allowed Member Types: Users/Groups
   • Value: admin, rep, meetings (case sensitive)
   • Description: Describe each role's function, e.g., "Qualified Admins have full access," "Reps engage in chat," etc.
   • Ensure the app role is enabled and click Apply.

Microsoft Entra documentation: Add App Roles to your Application

Step 2: In Qualified, collect your API URL and Bearer Token:

1. Go to Settings → Organization → Single Sign-On.
2. Toggle on SCIM Enabled.
3. Copy the API URL and Bearer Token.

Step 3: In Microsoft Entra, complete SCIM Provisioning set up:

1. Return to the Microsoft Entra admin center.
2. Navigate to the Enterprise Applications section and select your Qualified app.
3. Open the Provisioning tab.
4. Under Admin Credentials, paste the API URL and Bearer Token from Qualified.
5. Click Test Connection to verify the integration.
6. Expand Mappings, and select Provision Microsoft Entra ID Users to edit the user attribute mappings.
7. Make sure the customappsso Attribute and Microsoft Entra ID Attribute exactly match the following:

8. Disable Provision Microsoft Entra ID Group mappings. Qualified does not support Group mappings at this time.
9. Save your settings and enable Provisioning.

Microsoft Entra documentation: Configure Automatic User Provisioning & Editing User Attribute Mappings

Step 4: Testing and Verification

• Add a test user in Microsoft Entra ID and verify:
  • The user is created in Qualified with the correct attributes and role.
  • Profile updates (email and role) sync correctly.
  • Deactivating the user removes access in Qualified.

Back to Top

<span id="binding-email-process"></span>

Binding Email Process for Existing Users

After enabling SSO, all existing Qualified users receive an email from app@qualified.com with a unique binding link.

Users must click the link within 72 hours to bind their Qualified account to their Microsoft Account. If the binding link expires, an admin can resend it from Settings → Organization → Users.

Back to Top

<span id="adding-new-users"></span>

Adding New Users

With SCIM Provisioning Enabled

A Microsoft Entra user with at least a Cloud Application Administrator role will need to assign the user to the Qualified application.

Microsoft Entra documentation: Assign Users and Groups to an Application

Without SCIM Provisioning

If your company does not have SCIM Provisioning enabled, then you’ll follow the steps below to add new users to Qualified: 

1. Assign Users in Microsoft Entra: A Microsoft Entra user with at least a Cloud Application Administrator role will need to assign the user to the Qualified application: Assign Users and Groups to an Application‍
2. ‍Invite Users in Qualified: Invite users from  Settings → Organization → Users in Qualified: Provisioning Users in Qualified‍
3. User Accepts Invite: Invited users will receive an email with a button to link their account and access Qualified. 

Back to Top

<span id="disconnecting-sso"></span>

Disconnecting SSO

If you'd like to disconnect your company’s SSO, you can do so at any time.

1. Go to Settings → Organization → Single Sign-On 
2. Click Disable SSO for this Team.
3. Users will receive an email to create a new password and log in using their email addresses.

Back to Top