Setting Up Microsoft Entra SSO
Overview
Microsoft Entra ID Single Sign-On (SSO) enables your users to sign in to Learn Amp using their existing Microsoft credentials. If your organisation already uses Microsoft Entra ID for identity management, this integration provides a seamless, secure login experience without requiring separate Learn Amp passwords.
Functionality Breakdown
With Microsoft Entra SSO enabled:
Seamless authentication – Users sign in with their existing Microsoft Entra ID credentials
Secure login – Authentication uses OpenID Connect, an enterprise-grade security protocol
Quick access – No need to remember a separate Learn Amp password
Flexible setup – Can be used alongside email/password login or as the sole authentication method
Works with User Provisioning – Can be combined with Microsoft Entra ID User Provisioning for complete identity management
Pre-requisites
Requirement | Details |
|---|---|
Microsoft Entra ID Admin Access | Administrator-level access to your Microsoft Entra ID tenant to grant permissions |
Learn Amp Admin Access | Owner or Admin role in Learn Amp during setup |
Microsoft Entra ID Tenant ID | Your organisation's unique Microsoft Entra ID identifier |
Existing User Accounts | Users must have Learn Amp accounts before they can use SSO |
Role Requirements
Platform | Role Required |
|---|---|
Learn Amp | Owner or Admin |
Microsoft Entra ID | Administrator (to grant admin consent) |
⚠️ Important: SSO only authenticates existing users. Users without Learn Amp accounts cannot sign in until their account is created. We recommend combining SSO with User Provisioning or sFTP imports to automate account creation.
Quick Start Guide
From the Learn Amp homepage, click the Settings cog in the left-hand navigation
Select Integrations
Find Microsoft Entra ID (SSO) and click Configure
Enter your Microsoft Entra ID Tenant ID
Grant admin consent to allow Learn Amp to authenticate users
Once permissions are granted, all users in your Microsoft Entra ID tenant with corresponding Learn Amp accounts can sign in
How Authentication Works
Learn Amp authenticates users against Microsoft Entra ID using OpenID Connect:
User visits your Learn Amp homepage
User clicks "Login with Microsoft"
User is redirected to Microsoft's login page
After successful authentication, user is redirected back to Learn Amp
Learn Amp matches the Microsoft Entra ID UserPrincipalName (UPN) to the user's Learn Amp email
Note: The user's Learn Amp email must match their Microsoft Entra ID UserPrincipalName for authentication to succeed.
Known Limitations
User Accounts Required
SSO only authenticates existing users. Any users in your Microsoft Entra ID who don't have Learn Amp accounts will not be able to sign in until their account is created. Options for account creation:
Microsoft Entra ID User Provisioning (automatic)
sFTP import (scheduled)
Manual creation or CSV import
Single Tenant
Learn Amp's SSO integration connects to a single Microsoft Entra ID tenant per subdomain. Organisations with multiple Microsoft Entra ID tenants may need additional Learn Amp subdomains.
Email Matching
Learn Amp authenticates users by matching the UserPrincipalName (UPN) field in Microsoft Entra ID to the email address in Learn Amp. If you need to use a different field (such as the mail field), contact your Implementation Coach.
FAQs
Q: Can I use SSO alongside email/password login?
Yes. You can enable Microsoft Entra SSO while still allowing other users to access Learn Amp using email and password.
Q: What authentication protocol does Learn Amp use?
Learn Amp uses OpenID Connect (built on OAuth2) to authenticate users against Microsoft Entra ID.
Q: Can I connect multiple Microsoft Entra ID tenants?
No. Learn Amp connects to a single Microsoft Entra ID tenant per subdomain. Organisations with multiple tenants may need additional subdomains.
Q: Do users need to be in a specific Microsoft Entra ID group to use SSO?
No. SSO authentication is available to all users in your Microsoft Entra ID tenant who have a corresponding Learn Amp account. Group-based access control is handled by the User Provisioning integration.
Q: What data does Learn Amp store?
Learn Amp stores your Tenant ID in an encrypted field within the production database. It is not stored in any downloadable format.
Q: Can I use SSO without User Provisioning?
Yes. You can enable SSO independently, but you'll need to create user accounts through another method (manual creation, CSV import, or sFTP).
Q: Can I also use User Provisioning?
Yes. Learn Amp can integrate with Microsoft Entra ID for both SSO and User Provisioning. See the User Provisioning article for details.
Q: What if a user's email doesn't match their UPN?
Authentication will fail. Ensure user accounts in Learn Amp are created with email addresses matching the UserPrincipalName field in Microsoft Entra ID. If you need to use the mail field instead, contact your Implementation Coach.
Troubleshooting
Issue | Solution |
|---|---|
User can't sign in with SSO | Verify the user has a Learn Amp account and their email matches their Microsoft Entra ID UserPrincipalName (UPN). |
"Login with Microsoft" button not appearing | Ensure the SSO integration is enabled and configured in Learn Amp settings. |
Admin consent failing | Verify you have administrator-level access to the Microsoft Entra ID tenant. |
Old deep links not working | Update links from the old OAuth URL format to your Learn Amp homepage (https://[yoursubdomain].learnamp.com). The auth flow now requires a POST request from the homepage. |
Users from wrong tenant trying to login | SSO only works for users in the configured Microsoft Entra ID tenant. Users from other tenants need accounts on separate subdomains. |
Last Reviewed: 27/11/2025