Microsoft Azure Portal Single Sign-On (SSO) integration

This topic contains procedures to configure AppName for Single Sign-On (SSO) in CyberArk Identity using WS-Fed..

With CyberArk Identity, you can choose single-sign-on (SSO) access to the Microsoft Azure Portal web application with IdP-initiated WS-Fed SSO (for SSO access through the Identity User Portal) or SP-initiated WS-Fed SSO (for SSO access through the Microsoft Azure Portal web application), or both. Providing both methods gives you and your users maximum flexibility.

Supported features

This application template supports the following features:

  • SP-initiated SSO

  • IDP-initiated SSO

  • Microsoft WS-Fed user provisioning

  • Role-to-Microsoft 365 License Mapping

Before you begin

Before you configure the Microsoft Azure Portal application for SSO, you need the following:

  • Create a Microsoft 365 account.

  • Create and verify a domain in Microsoft 365.

Prepare Microsoft 365 for single sign-on

This section applies to you if you are creating a new Microsoft 365 account, or if your Microsoft 365 accounts aren’t already federated using ADFS or another identity provider

Before you configure Microsoft 365 for SSO, you need to add your custom domain, get the domain verified, and add your Microsoft 365 user accounts. Use the Microsoft 365 administrative portal to perform these tasks.

Step 1: Create and verify a custom domain for use with Microsoft 365

In order to use SSO with Microsoft 365, you need a unique Microsoft 365 domain. This domain must be an externally accessible domain that resolves to an IP address that belongs to your organization. The IP address must be routable to the server where the you’ve installed the connectors (and the Microsoft Directory Synchronization tool, if you’re still using it). Your Microsoft 365 domain must also be different than the one provided by Microsoft with the domain.

Expect that the process of creating and verifying a domain may take anywhere from a day to a week or so to complete, depending on the time it takes to register a domain with a domain provider, editing the DNS entries to verify ownership, and having Microsoft verify the domain ownership. See the following Microsoft documentation for instructions.

Add and verify your domain:

Get DNS text records from Microsoft 365 for domain verification:

Set a default domain:

Set up directory synchronization:

Configure the AppName application template in the Identity Administration portal

The following procedure describes the steps in the Identity Administration portal needed to configure the AppName application template for SSO.

Step 1: Add the AppName web application template

  1. In the Identity Administration portal, select Apps & Widgets > Web Apps, then click Add Web Apps.

    Add a web app screen

  2. On the Search page, enter the application name in the Search field and click the search button.

  3. Next to the application name, click Add.

  4. On the Add Web App page, click Yes to confirm.

  5. Click Close to exit the Application Catalog.

    The application opens to the Settings page.

Step 2: Configure the Settings page

    Though CyberArk continues to support basic authentication with Microsoft Azure Portal, for various security reasons listed in the Microsoft article,CyberArk strongly recommends that you migrate to the more modern and secure token-based authentication.

    The domain that the administrator uses for basic authentication in the Application Settings does not appear in the Microsoft 365 domains list. For basic authentication, use a domain that is different from the one being enabled for SSO with Microsoft Azure Portal.

Step 3: Federate your Office 365 domain

Step 4: Configure the Permissions page to grant AppName users SSO access

Grant SSO access to AppName by assigning permissions to users, groups, or roles.

  1. On the Permissions page, click Add.

  2. Select the user(s), group(s), or role(s) that you want to grant permissions to, then click Add.

    The added object appears on the Permissions page with View, Run, and Automatically Deploy permissions selected by default.

  3. Select the permissions you want and click Save.

    Default permissions automatically deploy the application to the User Portal if the Show in user app list option is selected on the Settings page. Do not select this option if you intend to use only SP-initiated SSO.

    Change the permissions if you want to add additional control or if you prefer not to automatically deploy the application.

Step 5: Configure the Provisioning page

  1. Select Enable provisioning for this application.

  2. Under Objects to provision, select Enable Hybrid Exchange Support if required.

UnderSync Options, specify how to handle duplicate accounts.

Duplicate accounts are identified when a user account in CyberArk Identity and in the target application have the same email address or Active Directory userPrincipalName.


  • Sync (overwrite): Update account information in the target application (this includes removing data if the target account has a value for a user attribute that is not available from CyberArk Identity).

  • Do not sync (no overwrite): Keeps the target user account as it is; CyberArk Identity skips and does not update duplicate user accounts in the target application.

  • Do not de-provision (deactivate or delete): The user's account in the target application is not de-provisioned when a role membership change that would trigger a de-provisioning event occurs.

  • Select Deprovision users in this application when they are disabled in source directory to enable the feature.

    If checked, a user will be deprovisioned when they are marked as disabled in the source directory. Deprovisioning behavior and available deprovisioning options depend on what the target application supports.

  1. Provide necessary role mappings as shown in the image below.

    Microsoft License provisioning might take some time to reflect at the Microsoft 365 portal. SP and IDP authentication will work once the provision is successful and the user has proper licenses.
    You can select Role and ignore license as you can access Microsoft Azure without Microsoft 365 license.

Step 6: Review and save

Review your settings to confirm your configuration. For example, you might want to verify that you selected the appropriate users, groups, or roles on the Permissions page. Click Save when you are satisfied.