How can I provision users from Microsoft Azure to MetaAccess?

MetaAccess offers an integration with a 3rd-party Single Sign-on Service (SSO). This enables an account to provision new users to manage your account. When a user logs into the MetaAccess console through your own SSO service, MetaAccess will provision that user as a read-only user on your account. You can update the user's role later.

MetaAccess uses the secure and widely adopted industry standard Security Assertion Markup Language 2.0 (SAML 2.0), so that you can integrate easily with any large identity provider that supports SAML 2.0.

To get started, log into Azure Portal and create an application for MetaAccess. Details can be found here

1. Log into Azure Portal as an administrator

2. Navigate to Azure Active Directory > Enterprise applications

3. Click the + New Application


4. select Non-gallery application


5. Enter Application name, for example MetaAccess

6. Under the Getting Started section, select 2. Set up Single sign on


7. Click Edit icon ( images/download/thumbnails/6216918/Screen_Shot_2020-02-11_at_3.32.34_PM.png ) on Basic SAML Configuration. Enter as a placeholder for all parameters. Click Save.


8. Click Edit icon ( images/download/thumbnails/6216918/Screen_Shot_2020-02-11_at_3.32.34_PM.png ) on User Attributes & Claims: configure Unique User Identifier (Name ID) format as EmailFormat and its value as a user's email by clicking on that claim and choose its format as email address and source attribute as user.mail or user.localprinciplename



9. On SAML Signing Certificate section, you can now download the IdP configuration xml file by downloading Federation Metadata XML (for example, azure.xml). You can use this file to import to MetaAccess


Configure Microsoft Azure on MetaAccess:

10. Log into the MetaAccess console with an admin permission

11. Navigate to User management > SSO

12. On Control tab, enable "Enable Single Sign On" checkbox

13. Enter an IdP Name, for example: Azure

14. Click Choose File to import the identity provider metadata you got earlier in step #9 . Select the file you saved in step #10, Azure.xml. If the file is valid then IdP certificate, Issuer, and IdP SSO URL will pop up. Click SAVE

15. After you save your changes successfully, MetaAccess generates a MetaAccess Login URL. Copy this URL to import to Microsoft Azure


Update MetaAccess app on Microsoft Azure

16. Switch to Azure Portal

17. Navigate to the application you created earlier, MetaAccess, click Edit icon on Basic SAML Configuration. Replace value of Reply URL (Assertion Consumer Service URL) and Relay State with the MetaAccess Login URL you copied in step 15 then click Save.


DONE. Now you need to assign people/groups who can access MetaAccess on Microsoft Azure and test the configuration. Check out our FAQ if you get an error when a user logs into MetaAccess

If You couldn't import the identity provider information from the IdP metadata file, you can get information from the Set up instruction page of the app and copy IdP certificate, Issuer, and IdP SSO URL to the MetaAccess console