1. Home
  2. Docs
  3. The Access Platform
  4. Application Integration Guide
  5. BeanLogin Integration with Azure AD

BeanLogin Integration with Azure AD


Azure Active Directory (Azure AD) is Microsoft’s cloud-based identity and access management service. Azure AD helps your employees sign in and access resources in: … Internal resources, such as apps on your corporate network and intranet, along with any cloud apps developed by your own organization. This guide details the necessary steps to establish SSO for Azure AD using BeanLogin.

The guide assumes that you already have an existing Azure AD subscription.

SSO Configuration in BeanLogin

Below are the steps involved in configuration of Azure AD within BeanLogin.

Create As Password-Vault App Create As SAML App User Provisioning Supported
Supported Supported Supported
  1. Login to BeanLogin as an Administrator.
  2. Navigate to Administration >> Access Management >> Corporate Apps.
  3. Click New.
  4. Select Azure AD from the list of apps and click it will give option whether to add as password-vault/SAML based on choice select the proper option and click on Add Selected Apps. It will add apps under corporate section with status as inactive.
  5. In Corporate app click on the Azure AD app, it will open app in edit mode.
  6. Enter your domain name and provide your global admin credentials in authentication section.
  7. If you want to enable the SSO on Azure AD side through BeanLogin enable the Is SSO Enabled ? checkbox.
  8. On the last step if you want provisioning feature enable set the flag Enable Provisioning. It will create new user into Azure ADvonce added in BeanLogin provided specific group is assigned.

SSO Configuration in Azure AD


  1. Microsoft requires the use of Powershell commands to enable SSO for Azure AD. That being said, any user who has basic understanding of command prompt within Windows systems should be able to execute the steps detailed in this section.
  2. A Windows machine, preferably Windows 8 or above, or Windows 2012 or above.
  3. Download and Install PackageManager for Powershell from the link below:


Enable SSO

    1. Open Powershell as an Administrator.
    2. Install Microsoft Online module by executing the command below.
Install Microsoft Online module

Install-Module -Name MSOnline
    1. Enter the Microsoft O365 Global Administrator credentials.
Enter O365 Global Admin Credentials

$cred = Get-Credential
  1. When you run the above command enter the Azure AD Global Administrator credentials in the pop-up.
  2. Connect to Microsoft Online Service.
  3. Connect to MS Online Service using the credentials supplied
    Connect-MsolService -Credential $cred
  4. Enter the domain for which you want to enable SSO.
  5. Enter domain information
    $dom = "contoso.com"
  6. Enter the BeanLogin SSO Login endpoint URL. Replace the <guid> with the Entity ID value from Step #4 in the previous section.
  7. Configure Login URL
    $url = "https://portal.beanlogin.com/Federation/SAML2SSO.aspx?idpid=<guid>"
  8. Enter the BeanLogin Logout endpoint URL.
  9. Configure Logout URL
    $logouturl = "https://portal.beanlogin.com/Federation/SAML2SLO.aspx"
  10. Enter the BeanLogin Issuer URI. Replace the <guid> with the Entity ID value from Step #4 in the previous section.
  11. Configure Issuer URI
    $uri = "urn:federation:beanlogin:<guid>"
  12. Enter the BeanLogin token signing cert.
  13. Configure Certificate
    $cert = " MIIDzDCCArQCCQDCN6phKMHdHzANBgkqhkiG9w0BAQsFADCBpzELMAkGA1UEBhMCVVMxEDAOBgNVBAgMB0dlb3JnaWExEDAOBgNVBAcMB0F0bGFudGExGjAYBgNVBAoMEUEmSSBTb2x1dGlvbnMgSW5jMREwDwYDVQQLDAhTZWN1cml0eTEhMB8GA1UEAwwYZmVkZXJhdGlvbi5iZWFubG9naW4uY29tMSIwIAYJKoZIhvcNAQkBFhNhZG1pbkBiZWFubG9naW4uY29tMB4XDTE4MDUxMTE4NDU0M1oXDTIwMDUxMDE4NDU0M1owgacxCzAJBgNVBAYTAlVTMRAwDgYDVQQIDAdHZW9yZ2lhMRAwDgYDVQQHDAdBdGxhbnRhMRowGAYDVQQKDBFBJkkgU29sdXRpb25zIEluYzERMA8GA1UECwwIU2VjdXJpdHkxITAfBgNVBAMMGGZlZGVyYXRpb24uYmVhbmxvZ2luLmNvbTEiMCAGCSqGSIb3DQEJARYTYWRtaW5AYmVhbmxvZ2luLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAL+TL/JsIkoP/xC8OIEoLyAVqBmw1ZwtmhPjGNeEBpC7Qzu9sWDGvoJXOuOwZXOZYv54ovwNOBLYeqbtp1isG5+owpP2a3vmf4r84HTg1sUzLer/zmBO2gP1Jfa6h/nxuUWU3uiXY9aQQ94tXQ50t+ZkP05rOck+i/XNqgad+rAnSs/GIpKXfz9PYAMuXumr/mS0gO3496h2WWO0XKbgL/w8diuHjom/Uc7LIOGA8I8I23cDtnVJkeOax6rO5MsLUJkKTscoKalHBVet+FiDzvVU6omUk2+vnLlEAgdG1rSIvqlbDDvS2GbG4SDXj2JKsquP5AcBJ/o0UbAALmTF5lkCAwEAATANBgkqhkiG9w0BAQsFAAOCAQEABSdo5WyVsZDBWaWQ2LkrHkBeovjXkFEl4HA2iXEJSaaKi8zVBFZfzFs5VD9k7JNSZQMqzKhf0NRbiWuP3WqNm7QlB6WRZ2T/gUt9vv2traTh/WTi5ZD4Sk6g1fKnq3Xo+ZkEiJkZvHVzYlh9eJyq5g+Swc8qxie1MZ0Lz6tOvOc3g3omVNHUcX34TBn0hRobYKCJyfHWsTce9L7UiUlN9A0JtyAfgsmkhbiriSQHJxc/qkeNTG6Pk3KDB1HGYQ60Pa9/Kwmtb/bQH0gXxk/YXGXt52IYd2o2TNd8800nYTr9e94JdaP45ppuyrMp7ET0FkP/1rGoi8MyHG+f4uSBRA=="
  14. Run the below command to enable SSO in Azure AD. Please note that it may take upto an hour for SSO to get enabled on the Azure AD side.
  15. Enable SSO
    Set-MsolDomainAuthentication -DomainName $dom -FederationBrandName $dom -Authentication Federated -PassiveLogOnUri $url -SigningCertificate $cert -IssuerUri $uri -LogOffUri $logouturl -PreferredAuthenticationProtocol SAMLP
  16. Run the below command to disable SSO in Azure AD.
  17. Disable SSO
    Set-MsolDomainAuthentication -DomainName $dom -FederationBrandName $dom -Authentication Manage

Add New Users in Azure AD

Provisioning new users in Azure AD involves two steps.

    1. Add new user
Add New User

New-MsolUser -UserPrincipalName jdoe@contoso.com -ImmutableId jdoe@contoso.com -DisplayName "John Doe" -FirstName John -LastName Doe -AlternateEmailAddresses "john.doe@gmail.com" - UsageLocation US
    1. Assign License to the newly created user
Assign O365 License

Set-MsolUserLicense -UserPrincipalName jdoe@contoso.com -AddLicenses contoso:O365_BUSINESS_PREMIUM

Federation Worksheet

The below tables contains the parameters that you need to keep handy before you configure SSO.

$domThis is your domain. Ex: contoso.com. Please note that the status of the domain must be "Verified" prior to enabling SSO on the Office 365 side
$urlhttps://portal.beanlogin.com/Federation/SAML2SSO.aspx?idpid=This is the SSO Login endpoint of BeanLogin. Replace the with the guid assigned to your Organization.
$logouturlhttps://portal.beanlogin.com/Federation/SAML2SLO.aspxThis is the Logout endpoint of BeanLogin
$uriurn:federation:beanlogin:This is the Issuer URI unique to your Organization. Replace the with the guid assigned to your Organization.

Provisioning Configuration in BeanLogin

You can enable the provisioning from the two places

  1. From Corporate App Edit where you have last step as Provisioning.
  2. From Identity Management -> Endpoint Provisioning Section.

For Office 365 you just have to provide you Global admin cred in provisioning section.

Based on the Specific group selection and app and provisioning status user will get created in the Azure AD side.

Also you can assign the license from BeanLogin screen.

Was this article helpful to you? Yes No

How can we help?