We've made big updates to the Help Center! All key features of Canary7 are now covered, and we're continuously refining and expanding the content.

Think we’ve missed something or could improve a section? Please let us know at Support@Canary7.com; we’re always listening.

Microsoft Entra Single Sign On (SSO)

  • Updated on Apr 17, 2026
  • Published on Oct 30, 2025
  • 3 minute(s) read
Prev Next

Single Sign On via Microsoft Entra (formally known as Microsoft Active Directory/AD) allows users to login via their work Microsoft 365 accounts.

This feature is in testing. We highly recommend you do not enable this feature at this time without first speaking to our support team.

To enable Microsoft Single Sign-On (SSO) with Canary7, you’ll need to create an application in Microsoft Entra, and configure it for use with Canary7. Follow the steps below to obtain the required credentials and permissions.

You will require Microsoft Entra access to configure applications to enable this feature.

Step 1: Create a new Application Registration

  1. Log in to the Entra admin portal (https://entra.microsoft.com/)

  2. Navigate to Microsoft Entra ID → App registrations

Create a New Registration:

For “Register an application”, enter the following fields:

  1. Enter a name of your choice (e.g., Canary7 SSO).

  2. Set Supported account types to Accounts in this organizational directory only (Single tenant).

  3. Under Redirect URI, choose Web as the platform.

  4. Enter the URL according to which environment your tenant is active in:

  1. Click ‘Register’.

App registration example

Step 2: Retrieve the Client ID and Tenant ID

After registration:

  • Open the app’s Overview page.

  • Copy the values for:

    • Application (client) ID

    • Directory (tenant) ID

You’ll need these values later for Canary7 configuration.

Step 3: Create a Client Secret

  1. Go to Certificates & secrets in the left menu.

  2. Under Client secrets, click + New client secret.

  3. Add a description (e.g., Canary7 SSO Secret).

  4. Set the expiration period (e.g., 2 years or a custom duration).

  5. Click Add.

⚠️ Client Secret

Copy the Value immediately and store it securely; it will not be visible again after you leave the page.

Step 4: Configure API Permissions

  1. Go to the API permissions tab.

  2. Click + Add a permission.

  3. Select Microsoft Graph → Delegated permissions.

  4. Add the following permissions:

  • Group.Read.All

  • Directory.Read.All

  • User.Read

  • email

  • openid

  • profile

  1. Click Add permissions.

  2. Finally, click Grant admin consent for the permissions you just added.

Step 5: Add Credentials to Canary7

Once you’ve obtained:

  • Client ID

  • Tenant ID

  • Client Secret

These credentials will need to be added to your tenant by Canary7 staff

Entra Groups Setup

You will need to configure Entra Groups for access. These can be added under Entra ID > Groups > New Group. The required group names are as detailed below.

The groups should have a group type of Microsoft 365 .

🙎🏼 Entra Groups for access

✉️ Emails when adding users to groups

Adding users to groups will (by default) send emails for each group to all the users that you add to a group. This might not be desired, however this is a Microsoft 365 setting we have no control over. You will need to disable this via Powershell scripts. This can be done globally or for specific groups.

Field

Field Type

Description

Example

C7_DEFAULT_COMPANY

Required

Default company name

C7_DEFAULT_COMPANY:COMPANY_CODE

C7_DEFAULT_WAREHOUSE

Required

Default warehouse

C7_DEFAULT_WAREHOUSE:WAREHOUSE_CODE

C7_ROLE

Required

User role

C7_ROLE:Admin

C7_SHIFT_USER

Optional

If assigned, user will be a shift user

C7_SHIFT_USER

C7_WAREHOUSE

Optional

If assigned, grants access to that warehouse

C7_WAREHOUSE:WAREHOUSE_CODE

To assign all: C7_WAREHOUSE:*ALL

C7_COMPANY

Optional

If assigned, grants access to that company

C7_COMPANY:COMPANY_CODE

To assign all: C7_COMPANY:*ALL

Additional Rules

  • If the optional fields C7_WAREHOUSE or C7_COMPANY are missing in the Group for user, the system will automatically assign the corresponding default values from C7_DEFAULT_WAREHOUSE and C7_DEFAULT_COMPANY.

  • If the Groups assigned with C7_WAREHOUSE:*ALL or C7_COMPANY:*ALL, it indicates the user has access to all warehouses or all companies, respectively, and the system must assign all available warehouses or companies to that user.

  • Be aware that there cannot be spaces around the : character in the group names; so for example C7_DEFAULT_COMPANY: Company 1 would not work - C7_DEFAULT_COMPANY:Company 1  will. spaces are allowed but just not around the colon ( : ) character. This will cause error messages such as X default warehouse is not found in Canary7 as it cannot match the name correctly.

  • The group names themselves are not case sensitive, so you can do C7_Default_Company:Company 1 if preferred.

✅ SSO Setup Complete

Your Microsoft SSO integration with Canary7 is now ready for use. Users within your organization can now sign in securely using their Microsoft accounts.