Microsoft 365 / Entra ID SSO

How to get there: Go to Settings in the sidebar → Security tab → scroll to Microsoft 365 / Entra ID SSO.

Let your team sign in to your ProductLift portal with their existing Microsoft 365 work account. Login is tenant-restricted, so only members of your organization can sign in, and your existing MFA and conditional access policies in Entra ID apply automatically.

This is OIDC-based SSO against Microsoft Identity Platform. If your IT policy specifically requires SAML, contact us, this article covers the OIDC path which is the modern Microsoft-recommended approach.

What you'll need

  • Admin access to your Microsoft Entra ID tenant (formerly Azure AD)
  • Admin access to your ProductLift portal
  • 10 minutes

Step 1: Copy the Redirect URI from ProductLift

Open ProductLift in another tab: Settings → Security → Microsoft 365 / Entra ID SSO. The Redirect URI is shown at the top of the card. Copy it. You'll paste it into Azure in the next step.

Step 2: Register an application in Entra ID

  1. Sign in to the Microsoft Entra admin center as an administrator.
  2. Go to Identity → Applications → App registrations and click + New registration.
  3. Fill in:
    • Name: something your team will recognize, e.g. ProductLift Feedback.
    • Supported account types: choose Accounts in this organizational directory only (Single tenant). This is what makes it true company SSO.
    • Redirect URI: select Web and paste the URI you copied from ProductLift in Step 1.
  4. Click Register.
  5. Open the new app's Authentication blade and confirm the Redirect URI is listed under Platform configurations → Web → Redirect URIs. If it isn't, click + Add a platform → Web, paste it in, and click Configure. (Microsoft sometimes drops the URI you entered on the registration screen, which surfaces later as AADSTS500113: No reply address is registered.)

Step 3: Create a client secret

  1. In your new app registration, go to Certificates & secrets.
  2. Click + New client secret.
  3. Give it a description (e.g. ProductLift), pick an expiry (12 or 24 months is typical), and click Add.
  4. Copy the secret Value immediately. You won't be able to see it again. Make sure you copy the Value, not the Secret ID.

Step 4: Configure ProductLift

  1. Back in your ProductLift portal at Settings → Security → Microsoft 365 / Entra ID SSO.
  2. Toggle Enable Microsoft SSO on.
  3. Fill in:
    • Directory (tenant) ID: from your Entra app Overview page, the value labelled Directory (tenant) ID.
    • Application (Client) ID: from the same Overview page, Application (client) ID.
    • Client Secret: the Value you copied in Step 3.
    • Button Label (optional): defaults to "Continue with Microsoft".
  4. Click Save.

By default, the first user from your tenant to sign in will see a consent prompt asking them to allow ProductLift to read their basic profile and email. You can pre-consent for everyone in your tenant so this prompt never appears.

  1. In Entra admin center, open your app registration.
  2. Go to API permissions.
  3. Confirm that the default permissions openid, profile, email, and User.Read (delegated, Microsoft Graph) are listed. Add them if they aren't.
  4. Click Grant admin consent for [Your Tenant] and confirm.

Step 6: Try it

Open your portal in an incognito window. You should see a Continue with Microsoft button on the login screen. Click it, sign in with your work account, and you'll land back in ProductLift signed in.

Rotating the client secret

Microsoft secrets expire. To rotate:

  1. In Entra → Certificates & secrets, add a new client secret.
  2. In ProductLift → Settings → Security → Microsoft 365 / Entra ID SSO, paste the new Value into Client Secret and save. The old one stays valid in Entra until you delete it, so there's no downtime.
  3. Once the new one is confirmed working, delete the old secret in Entra.

Troubleshooting

"AADSTS50011: The reply URL specified in the request does not match", the Redirect URI in Entra doesn't exactly match what ProductLift is sending. Copy it again from the ProductLift settings page and paste it back into Entra (Authentication → Web → Redirect URIs).

"AADSTS700016: Application with identifier ... was not found in the directory", the Client ID or Directory (tenant) ID is wrong. Double-check both from the Entra app Overview page.

"AADSTS7000215: Invalid client secret", the secret was either mistyped, expired, or you pasted the Secret ID instead of the Value. Create a fresh secret and paste the Value field.

Users from outside your tenant can sign in, your Directory (tenant) ID field is set to common (or empty). Set it to your actual Directory (tenant) ID to lock it down.

What this does NOT do

  • Automatic user provisioning from Entra group membership (SCIM). Users are created on first sign-in. If you remove a user in Entra, they can no longer sign in, but their ProductLift account is not auto-deleted.
  • IdP-initiated login from the Microsoft MyApps portal. Login starts from the ProductLift portal and bounces through Microsoft. If you need MyApps tile launch, contact us about a SAML-based setup.