Setup Microsoft 365 Single Sign-On (SSO)

This article will provide a walkthrough on activating Microsoft single sign-on in the multi-tenant side of the bvoip phone system.

Updated at April 25th, 2024

Required Access Notice

To enable the Microsoft Single Sign-on function, you must have one of the following roles in Microsoft 365:

  • Global Administrator
  • Privileged Role Administrator

If you do not have one of these roles, please contact your IT team for assistance.

 

Setting up Microsoft SSO 

Starting from the login page, bvoip enables customers to use their Microsoft 365/Entra ID tenant as their authentication provider, greatly simplifying the login process and making it so users do not need to remember a separate password or MFA code.

The steps in this article will cover setting up Microsoft SSO for all phone system users in a multi-tenant capacity. 

Azure AD is now Entra ID

Although our documentation may still mention Azure Active Directory, Microsoft has rebranded this product as Entra ID. As a result, these terms are used interchangeably throughout the knowledgebase.

 

Entra Side Setup

  1. Go to your Entra Admin portal. This is the Identity option under Admin centers in the Microsoft 365 Admin Portal, if you can't see it you may need to click Show All first.
  2. On the left under Identity go to Applications > App registrations.
    image-png-Jan-25-2024-10-30-36-1070-PM
  3. In the top left click on New registration.
  4. In the Name field, input the desired name. This may appear to end users who login via SSO.
    image-png-Jan-25-2024-10-33-25-8590-PM
  5. Under Supported account types, select the Accounts in any organizational directory only (Any Microsoft Entra ID tenant - Multitenant) option.
  6. Under the Redirect URI sectional, select the option Single-Page application (SPA) option from the drop-down menu.
  7. In the URI field, enter https://mtp.bvoip.net/users for the URL.
  8. Click on the Register button.
  9. You'll be brought to the main application page. Under the Essentials section copy down the Application (client) ID and Directory (tenant) ID values
    image-png-Jan-25-2024-10-41-07-7304-PM
  10. Open up your bvoip Control admin panel and go to System > Microsoft 365 and then click + Add Account

     
  11. Enter in an Alias, and the two ID values copied above then keep this window open. Ideally side by side with the Entra ID page.
  12. Back in Entra ID, go to Authentication.
  13. Click the Add URI option 11 times and copy paste ALL 12 of the Redirect URIs from the Control portal into the Entra ID portal
    • NOTE: Your subdomain will differ, so the top 6 links will be the same but the bottom 6 will note compared to the image below.
  14. Click the Save button on the Entra ID side.
  15. Go to API Permissions on the left.
  16. Click on the Add a Permission button. The Requested API Permissions side screen will appear.
  17. Select the Microsoft Graph option.
  18. Click on Application Permissions
    image-png-Jan-26-2024-08-59-47-8992-PM
  19. Under the User permissions, select User.Read.All.
  20. Click on the Add Permissions button.
  21. Click on the Grant admin consent for... button. The Grant Consent Confirmation pop-up will appear.
    image-png-Jan-26-2024-11-29-14-3653-PM
  22. Click on the Yes button.
  23. Go to Certificates & Secrets.
  24. Click on the New client secret button.
  25. In the Description text box, input a description. 
  26. In the Expires drop-down, select the 24 months option.
  27. Click the Add button.
  28. Copy the Client Secret Value. 

Activating Microsoft Single Sign-on

  1. Back in the bvoip phone system, enter in your Client Secret then click Save
    image-png-Jan-26-2024-11-33-01-6586-PM
  2. If you're not in it, go back to the System > Users menu.
  3. Click on the Import Microsoft 365 users button.  
  4. A pop-up will appear to have you select the desired SSO integration. sso1s1-5
  5. Select the desired SSO integration to import users in
  6. In the Microsoft Users list, select the Sync User and SSO enabled checkboxes for the desired users.
    image-png-Jan-26-2024-11-35-32-6018-PM
  7. Click OK to import the users

Signing In with Microsoft Single Sign-on

Once activated for your users, they will use the normal login screen for accessing the phone system. However, instead of filling out the standard username and password fields, they will be able to login with a click of a button. 

  1. Click on the Sign in with Microsoft button. A pop-up will appear with the Microsoft login prompt.
  2. Sign-in with the desired Microsoft login details.

Next Steps: Bind Your New Users

New users need to be bound to an extension in one of your phone systems before they can access the Web Client and 1Stream systems. Follow the Setting User Bindings guide for more details.