Single Sign-On Setup with Azure Ad

Azure Active Directory can optionally be used as an identity provider for users of a Skyjed tenant. A tenant IT administrator must register their own Azure AD app and then enter the required details in Skyjed.

A user must be invited to Skyjed to be able to login via SSO - the fact that they exist in Azure Active Directory is not enough. It is recommended to configure Single Sign On (SSO) first before inviting further users to Skyjed.

Configure Azure

  • Create an App Registration

    • Go to: Azure AD App Registrations

    • Click “+ New registration”

    • Fill out the Name. Ensure “Accounts in this organizational directory only” is selected. Under Redirect URI, select “Single-page application (SPA)” and enter your Skyjed URL followed by /login
      Eg if your users go to to access Skyjed, enter:


  • Click Register

  • Note the “Application (client) ID” and “Directory (tenant) ID” values, they must be copied into Skyjed later

  • Authentication

    • Under Authentication → Implicit grant and hybrid flows, tick “ID tokens”

    • Under Authentication → Supported account types, ensure that “Account in this organization directory only” is selected

    • Click Save

  • Token Configuration

    • Under Token configuration click “+ Add optional claim”

    • Select “ID” and then tick “email”

    • Click Add. You may be prompted to tick “Turn on the Microsoft Graph email permission…” - do so and click Add again.



Configure Skyjed

  • As a super-admin, navigate to Settings → Single Sign On

  • Turn on “Use Azure Active Directory”

  • Copy-paste the two IDs from the Azure app registration

    • They can be found on the Overview page

  • It’s recommended that the IT administrator adds their own email address to the whitelist, in case an issue with the SSO configuration results in the user being unable to log in

  • Click Save


Once Single Sign On has been turned on in Skyjed:

  • Users will no longer be able to log in with their Skyjed password, and will be authenticated with Azure AD instead

    • Unless their email or email domain has been added to the whitelist

  • When new users are invited they will no longer be required to activate their account, and the invitation email simply directs them to the /login page.

Azure Token lifetime

By default the ID token issued by Azure AD is valid for 60 minutes.

The minimum lifetime is 10 minutes, and can be configured by creating an Azure AD Policy, covered in this article: Configurable token lifetimes - Microsoft identity platform

Restricting SSO to Certain Users / Groups

  • In Azure, open Azure AD → Enterprise Applications → All Applications

  • Find the App Registration by name (note that the search field only searches on the start of the name), click on it

  • Click Properties and set “User assignment required?” to “Yes”

  • Click Users and Groups, and make the necessary changes

Reference: Restrict your Azure AD app to a set of users in an Azure AD tenant

Single Sign On From Outside of Organisation

You may wish to allow external users to login to Skyjed, for example: Skyjed’s customer success user.

Method 1: Add external user to whitelist

  • As a Skyjed super admin or admin, navigate to Settings → Single Sign On.

  • Under “Domain/Email Whitelist”, enter the email addresses or domains that you want to allow to bypass Azure AD and sign in using Skyjed as their identity provider, one per line.

    • If you enter a domain name, all email addresses @ that domain will have access.

  • Any user attempting to login with an email address that is allowed by the whitelist will not be brought to Azure to login, but will instead see a standard password input, and will use Skyjed as their identity provider.

Method 2: Add external user to Azure AD

External users can be allowed to use Sign Sign On by adding them in Azure AD. Navigate to Users, click “New Guest User”, and complete the invitation process.