Microsoft Entra ID (SSO)

RPA Watch supports single sign-on (SSO) via Microsoft Entra ID (formerly Azure Active Directory). Users can sign in with their corporate Microsoft accounts instead of managing separate passwords.

Prerequisites

- A Microsoft Entra ID (Azure AD) tenant

- Administrator access to register an app in Entra ID

- Tenant Admin role in RPA Watch

Step 1: Register an Application in Entra ID

1. Go to the [Azure Portal](https://portal.azure.com) → Microsoft Entra ID → App registrations

2. Click New registration

3. Configure:

- Name: RPA Watch (or your preferred name)

- Supported account types: "Accounts in this organizational directory only" (single tenant) or "Accounts in any organizational directory" (multi-tenant)

- Redirect URI: Set to Web and enter your RPA Watch callback URL:

  https://rpawatch.com/api/v1/auth/entra/callback

4. Click Register

5. Note the Application (client) ID and Directory (tenant) ID

Step 2: Create a Client Secret

1. In the app registration, go to Certificates & secrets

2. Click New client secret

3. Set a description and expiration period

4. Click Add

5. Copy the secret value immediately — it won't be shown again

Step 3: Configure API Permissions

1. Go to API permissions

2. Click Add a permission → Microsoft Graph

3. Select Delegated permissions and add:

- User.Read — Sign in and read user profile

- openid — Sign users in

- profile — View users' basic profile

- email — View users' email address

4. Click Grant admin consent for your organization

Step 4: Configure RPA Watch

1. In RPA Watch, navigate to Tenant Settings

2. Go to the Authentication section

3. Enable Microsoft Entra ID as an authentication method

4. Enter the following:

Field	Value
Entra Tenant ID	Directory (tenant) ID from step 1
Client ID	Application (client) ID from step 1
Client Secret	Secret value from step 2
Redirect URL	Your callback URL (same as step 1)

5. Click Save

Authentication Methods

After configuring Entra ID, you can set the allowed authentication methods:

Option	Description
Local only	Users sign in with email/password only
Entra only	Users sign in with Microsoft only
Both	Users can choose either method at the login screen

Who Can Use Entra ID

Entra ID availability depends on your tenant type:

Direct Tenants

All users at any role level can use Entra ID sign-in.

Consulting Tenants

- Tenant-level roles (Tenant Admin, Consultant): Can use Entra ID

- Account-level roles (Account Admin, Account User): Must use local authentication (email/password)

This restriction exists because consulting tenants manage multiple clients — each client's users should use local credentials for security and isolation.

Entra User Sync

You can bulk-import users from your Entra ID directory into a specific account:

1. Navigate to the account's Members page

2. Click Sync Entra Users

3. RPA Watch fetches all users from your Entra ID directory

4. New users are created automatically with the Account User role

5. Existing users (matched by email) are linked to the account

Synced properties include:

- Display name

- Email address

- Department

- Job title

Login Flow

When a user clicks "Sign in with Microsoft":

1. They are redirected to Microsoft's login page

2. After authenticating, Microsoft redirects back to RPA Watch with an authorization code

3. RPA Watch exchanges the code for user information

4. If the user exists and has an active membership, they are signed in

5. If the user doesn't exist, they need to be invited first (or synced via Entra User Sync)

Troubleshooting

Issue	Solution
Redirect URI mismatch	Ensure the redirect URI in Entra ID exactly matches your RPA Watch callback URL
Admin consent required	An Entra admin must grant consent for the API permissions
User not found after login	The user must have a membership in RPA Watch. Invite them or use Entra User Sync.
Login works but no access	Check that the user's membership is active and has the correct role