To meet security requirements, Onix supports authentication with Microsoft Entra ID as an alternative to Onix account credentials. You can also use Microsoft Entra ID group claims to provision users, roles, and licenses automatically.
This article explains how to configure Microsoft Entra ID sign-in and group claims in Settings in Onix Work.
Prerequisites
To configure Microsoft Entra ID sign-in and group claims:
- Your company has a Microsoft Entra ID tenant.
- Your company’s Microsoft Entra tenant has set up users.
- You have User provisioning with Microsoft Entra ID group claims privilege with full access.
Set up Microsoft Entra ID single sign-on (SSO)
Enable Microsoft Entra ID SSO
- Go to Settings > Users & Roles > Security & identity.
- In the General section, select Edit.
- Enter your company’s Microsoft Entra tenant ID > Save.
After the tenant ID is set, users can sign in using either:
- Microsoft account (SSO), or
- Onix account credentials (email and password).
Verify that SSO works
Ask an existing user to test the setup:
- Sign out of all Onix apps in the browser.
- Go to the Onix sign-in page and select Sign in with Microsoft.
- Sign in with a Microsoft account.
If the user signs in successfully, SSO is working.
Require Microsoft Entra ID sign-in
When this option is enabled, users must sign in using Microsoft Entra ID. Email and password sign-in is no longer allowed. If users enter their email on the Onix sign-in page, they are redirected automatically to sign in with their Microsoft account.
Recommendation
Verify SSO with at least one user per role before enabling this option. This reduces the risk of users and yourself being locked out.
To require Microsoft Entra ID sign-in:
- Go to Settings > Users & Roles > Security & identity.
- In the General section, select Edit.
- Enter your Microsoft Entra ID tenant ID (if not already set).
- Turn on Require Microsoft Entra ID sign-on.
Provision users with group claims from Microsoft Entra ID
User provisioning with Microsoft Entra ID group claims only works properly when your users sign in with their Microsoft accounts (SSO).
Prerequisites
To provision users with group claims from Microsoft Entra ID, you need to set up groups in your company’s Microsoft Entra tenant first. For details, see Microsoft documentation: Microsoft Entra > Manage groups.
Add Onix Work to your Microsoft Entra tenant
- Sign in to the Microsoft Entra admin center.
- Browse to Entra ID > Enterprise apps > All applications.
- Select New application.
- In the Microsoft Entra Gallery, search for and select Onix Work.
- Enter a name to identify the application > Select Create
For more details, see Microsoft documentation: Microsoft Entra ID > Quickstart: Add an enterprise application.
Enable user provisioning with group claims
- Go to Settings > Users & Roles > Security & identity.
- At the General section, select Edit.
- Enter your company’s Microsoft Entra ID tenant ID (if not already set).
- Turn on Use Microsoft Entra ID group claims for user provisioning > Save.
Add and map Microsoft Entra ID groups
- Go to Settings > Users & Roles > Security & identity.
- In the Microsoft Entra ID group claims mapping section, select Add.
- Enter the group claim details.
| Field | Instructions |
|---|---|
| Microsoft Entra ID group object ID | The group’s object ID from Microsfoft Entra ID |
| Description | Short name for the group in Onix Work |
| Role | The Onix role assigned to new users in this group |
| License | The Onix license assigned to new users in this group |
After a group claim is added, you can edit its details and priority. Group priority determines which role and license a user receives on their first SSO sign-in if they belong to multiple groups. For example, if a user belongs to priority 1 and priority 3 groups, the role and license from priority 1 are applied.