Single Sign On via Microsoft Entra (formally known as Microsoft Active Directory/AD) allows users to login via their work Microsoft 365 accounts.
This feature is in testing. We highly recommend you do not enable this feature at this time without first speaking to our support team.
To enable Microsoft Single Sign-On (SSO) with Canary7, you’ll need to create an application in Microsoft Entra, and configure it for use with Canary7. Follow the steps below to obtain the required credentials and permissions.
You will require Microsoft Entra access to configure applications to enable this feature.
Step 1: Create a new Application Registration
Log in to the Entra admin portal (https://entra.microsoft.com/)
Navigate to Microsoft Entra ID → App registrations
.png)
Create a New Registration:
.png)
For “Register an application”, enter the following fields:
Enter a name of your choice (e.g., Canary7 SSO).
Set Supported account types to
Accounts in this organizational directory only (Single tenant).Under Redirect URI, choose Web as the platform.
Enter the URL according to which environment your tenant is active in:
Environment | Available? | URL |
|---|---|---|
Staging | Yes | |
Production | No |
Click ‘Register’.
.png)
App registration example
Step 2: Retrieve the Client ID and Tenant ID
After registration:
Open the app’s Overview page.
Copy the values for:
Application (client) ID
Directory (tenant) ID
You’ll need these values later for Canary7 configuration.
Step 3: Create a Client Secret
Go to Certificates & secrets in the left menu.
Under Client secrets, click + New client secret.
Add a description (e.g., Canary7 SSO Secret).
Set the expiration period (e.g., 2 years or a custom duration).
Click Add.
⚠️ Client Secret
Copy the Value immediately and store it securely; it will not be visible again after you leave the page.
Step 4: Configure API Permissions
Go to the API permissions tab.
Click + Add a permission.
Select Microsoft Graph → Delegated permissions.
Add the following permissions:
Group.Read.AllDirectory.Read.AllUser.Reademailopenidprofile
Click Add permissions.
Finally, click Grant admin consent for the permissions you just added.
Step 5: Add Credentials to Canary7
Once you’ve obtained:
Client ID
Tenant ID
Client Secret
Add these credentials to your Canary7 Admin Portal under the corresponding tenant configuration to complete the SSO setup.
Entra Groups Setup
You will need to configure Entra Groups for access. These can be added under Entra ID > Groups > New Group. The required group names are as detailed below.
The groups should have a group type of Microsoft 365 .
.png)
🙎🏼 Entra Groups for access
✉️ Emails when adding users to groups
Adding users to groups will (by default) send emails for each group to all the users that you add to a group. This might not be desired, however this is a Microsoft 365 setting we have no control over. You will need to disable this via Powershell scripts. This can be done globally or for specific groups.
Field | Field Type | Description | Example |
|---|---|---|---|
| Required | Default company name |
|
| Required | Default warehouse |
|
| Required | User role |
|
| Optional | If assigned, user will be a shift user |
|
| Optional | If assigned, grants access to that warehouse |
To assign all: |
| Optional | If assigned, grants access to that company |
To assign all: |
Additional Rules
If the optional fields
C7_WAREHOUSEorC7_COMPANYare missing in the Group for user, the system will automatically assign the corresponding default values fromC7_DEFAULT_WAREHOUSEandC7_DEFAULT_COMPANY.If the Groups assigned with
C7_WAREHOUSE:*ALLorC7_COMPANY:*ALL, it indicates the user has access to all warehouses or all companies, respectively, and the system must assign all available warehouses or companies to that user.
✅ SSO Setup Complete
Your Microsoft SSO integration with Canary7 is now ready for use. Users within your organization can now sign in securely using their Microsoft accounts.