Setting up Single Sign On (SSO) with Microsoft 365 / Entra

This guide walks you through the process of setting up Single Sign-On for Leave Dates using Microsoft 365/Entra.

Single Sign-On allows your staff to have one password for all their applications, eliminating the need to log on separately to different systems. 

How to configure single sign-on with Microsoft 365


Follow these steps to create the app registration:

  1. Sign in to the Entra admin center
  2. If you have access to multiple directories, click your avatar in the top right corner to Switch directory to the directory in which you want to register an application.
  3. On the left navigation menu go to Identify > Enterprise Applications
  4. Click the link in the header for Application registrations 
  5. Click + New registration.
  6. Enter Leave Dates SSO for the application name. 
  7. Specify who can use the application, sometimes referred to as the sign-in audience as Accounts in this organizational directory only (single tenant)
  8. Don't enter anything for Redirect URI (optional), you'll configure one in the next section.
  9. Select Register to complete the initial app registration.
  10. When registration completes, the Azure portal displays the app registration's Overview pane, which includes its Application (client) ID. Also referred to as just client ID, this value uniquely identifies your application in the Microsoft identity platform. Copy this value, it will be used later.
  11. Under Manage, select Branding
  12. Upload the attached file as a logo
  13. Ignore the Home Page URL, this will be filled in later.
  14. Enter https://www.leavedates.com/our-terms-of-use/ as the Terms of Service
  15. Enter https://www.leavedates.com/privacy-policy/ as the Privacy Statement
  16. Copy the Publisher domain, this will be used later.
  17. Press Save
  18. Under Manage, select Certificates & secrets
  19. Select + New client secret
  20. Add a description (optional) and choose the expiry period. Make a note to renew the certificate before the expiry date.
  21. Click Add
  22. Copy the Value you just created. It will be shown in the table. (be careful to select the Value rather than the ID)
  23. Open a new tab in your browser and log into Leave Dates using your admin account. You will be using the Microsoft tab again later.
  24. Navigate to the Settings > Integrations page
  25. Click the Add single sign on button within the Single sign on section
  26. Select Microsoft as the Provider
  27. Provide a Company domain for the login process (eg. https://companyname.leavedates.com). Choose something memorable and easy to type, such as companyname. It will be used later to automate the login process. You cannot change this later so choose wisely. If you are not asked for this, that is because you have previously entered a subdomain which will be used. 
  28. For Tenant, paste in the value copied in step 16 above (Publisher domain). This will be similar to companyname.onmicrosoft.com
  29. For Client ID, paste in the Application (client) ID copied in step 10
  30. For Client secret, paste in the Value copied in step 22
  31. Press Add provider

  32. An entry will be added to the table, as shown below.


  33. Click the row to open the details panel.
  34. Copy the values for Login Url and Callback Url from the table and revert back to the Microsoft browser tab.
  35. In the Overview page, click on Add a Redirect URI
  36. Click + Add a platform
  37. Select Web and paste the Callback Url (copied in step 34) into the Redirect URIs field. Click Configure to save.
  38. Click + Add a platform

  39. Select Mobile and desktop applications, paste in the below URI, and click Configure to save.

    com.nortonfive.leavedates://callback

  40. Under Manage, select Branding
  41. Paste the Login Url (copied in step 34) as the Home Page URL
  42. Click Save
  43. The single sign on application configuration is now complete.

  44. Now you can try to log in using an Entra admin account that also has a Leave Dates user account, and consent to the Permissions requested pop-up.


  45. The Enforce SSO login option can be turned on to prevent users from using password login, and force them to use SSO login. If this option is disabled, then users will be able to use both SSO login and password login.

Further considerations


  • Users will need to be created in Leave Dates using the same email address as configured for Microsoft Entra.
  • Users will need to be invited to use Leave Dates by an admin user, and create an account in Leave Dates using the non-SSO approach (which includes creating a password). This gives them the flexibility to use password login as well if they choose. Users can only log in using SSO once an account has been created in Leave Dates.
  • Users will need to be assigned to the Leave Dates application within the Microsoft Entra Portal. Instructions on how to do this are here.
  • The Login Url link shown in the table in step 34 above can be used as a direct link for logging into Leave Dates using Single Sign On.
  • Alternatively, the user can also log in by clicking Log In on the Leave Dates website, followed by Sign in with SSO and entering the company subdomain (created in step 27 earlier).
  • Logging out from Microsoft / Azure will not log you out from Leave Dates.

Common problems

  • The most common reason why the SSO setup does not work the first time is due to the incorrect secret value being copied in step 22. Azure gives a Secret ID and a Secret Value, it is important that the Secret Value is used.
  • When creating the certificate in step 20, the certificate has an expiry date. If, after some time, you find the SSO integration stops working, this is the most likely cause.

Logo to use for branding

Did this answer your question? Thanks for the feedback There was a problem submitting your feedback. Please try again later.

Related Articles