Microsoft Sign in usage: Difference between revisions

Latest revision as of 17:06, 8 January 2026

Overview

Microsoft Sign-In allows VoIPmonitor GUI users to authenticate using their Microsoft Entra ID (formerly Azure AD) accounts, providing Single Sign-On (SSO) capability.

User Mapping Order

When a user signs in with Microsoft, VoIPmonitor maps them to a GUI user profile in this order:

Direct email match - Username in VoIPmonitor matches Microsoft email
Secure users list - Microsoft email is listed in user's "Microsoft Sign In emails" field
Default user - Falls back to the user marked as "Default Microsoft Sign In account"

Quick Reference

Parameter	Where to Get	Where to Enter
Client ID	Microsoft Entra > App registration > Overview > Application (client) ID	GUI > Settings > System configuration > Advanced
Tenant ID	Microsoft Entra > App registration > Overview > Directory (tenant) ID	GUI > Settings > System configuration > Advanced
Redirect URI	Your VoIPmonitor GUI URL	Microsoft Entra > App registration > Redirect URIs

Part 1: Microsoft Entra Configuration

Register the Application

Go to entra.microsoft.com > App registrations > + New registration
Configure:
- Name: e.g., "VoIPmonitor SSO"
- Supported account types: "Accounts in this organizational directory only"
- Redirect URI - Platform: Single page application
- Redirect URI - URL: Your VoIPmonitor GUI URL
Click Register
Note the Application (client) ID and Directory (tenant) ID from the Overview page

ℹ️ Note: Redirect URI format:

Correct: https://voipmonitor.example.com
Wrong: https://voipmonitor.example.com/ (trailing slash)
Wrong: https://voipmonitor.example.com/admin.php (page name)

Assign Users

In Microsoft Entra, go to Users and add users who should have access to VoIPmonitor via Microsoft Sign-In.

Part 2: VoIPmonitor GUI Configuration

Enable Microsoft Sign-In

Go to Settings > System configuration > Advanced
Enable Enable Microsoft Sign in
Enter:
- Microsoft client ID - from Entra
- Microsoft tenant ID - from Entra
- Redirect URI - leave empty (auto-detected)

Map Users

For each user who will use Microsoft Sign-In:

Go to Users & Audit > Users > edit user
Secure users tab > fill Microsoft Sign In emails with their Microsoft email

Default User (Optional)

To set a fallback user for unmapped Microsoft accounts:

Edit the desired user > Basic data tab
Check Default Microsoft Sign In account

Troubleshooting

SSO Fails Behind Reverse Proxy

Symptom: Redirect loops or "too many redirects" errors when using AWS ALB, Nginx, or other reverse proxies with SSL termination.

Cause: The proxy terminates HTTPS but forwards HTTP to the backend, breaking the OAuth callback flow.

Solution: Pass the original protocol via X-Forwarded-Proto header:

# Nginx configuration
proxy_set_header X-Forwarded-Proto $scheme;

For AWS ALB, this header is automatic but ensure intermediate proxies pass it through. See Nginx for complete configuration.

AI Summary for RAG

Summary: Microsoft Sign-In (SSO) integration for VoIPmonitor GUI using Microsoft Entra ID (formerly Azure AD). Currently in development branch only. Setup requires: (1) Register application in Microsoft Entra as Single Page Application, get Client ID and Tenant ID. (2) Configure GUI in Settings > System configuration > Advanced with IDs. (3) Map users via Secure users tab or set default fallback user. User mapping order: direct email match, Secure users list, default user. Redirect URI must be exact GUI URL without trailing slash or page names. For reverse proxy setups (AWS ALB, Nginx), configure X-Forwarded-Proto header to prevent redirect loops.

Keywords: Microsoft Sign-In, SSO, Single Sign-On, Microsoft Entra, Azure AD, Azure Active Directory, authentication, OIDC, OAuth, GUI login, enterprise authentication, tenant ID, client ID, redirect URI, user mapping, X-Forwarded-Proto, reverse proxy, AWS ALB

Key Questions:

How do I enable Microsoft Sign-In in VoIPmonitor?
How do I configure SSO with Microsoft Entra for VoIPmonitor?
What is the correct Redirect URI format for Microsoft Sign-In?
Where do I find the Microsoft client ID and tenant ID?
How do I map VoIPmonitor users to Microsoft accounts?
Is Microsoft Sign-In available in the stable GUI version?
How do I set up a default user for Microsoft Sign-In?
Why does Microsoft Sign-In fail behind a reverse proxy?
What is the user mapping order for Microsoft Sign-In?

@@ Line 1: / Line 1: @@
-{{DISPLAYTITLE:How to Set Up Microsoft Sign-In}}
+{{DISPLAYTITLE:Microsoft Sign-In (SSO) Configuration}}
+[[Category:Configuration]]
+[[Category:Authentication]]
-'''IMPORTANT: This feature may not be available in all GUI versions'''
+== Overview ==
-Microsoft Sign-In integration is scheduled for inclusion in an upcoming stable GUI release. If you do not see the "Enable Microsoft Sign in" option in your GUI under '''Settings > System configuration > Advanced''', your current version does not support this feature.
+Microsoft Sign-In allows VoIPmonitor GUI users to authenticate using their Microsoft Entra ID (formerly Azure AD) accounts, providing Single Sign-On (SSO) capability.
-If you need Microsoft Sign-In immediately, please contact VoIPmonitor support to request a development branch GUI package that includes this functionality.
+<kroki lang="mermaid">
+%%{init: {'flowchart': {'nodeSpacing': 15, 'rankSpacing': 40}}}%%
+flowchart LR
+    subgraph Entra["Microsoft Entra"]
+        A[Register App] --> B[Get IDs]
+        B --> C[Assign Users]
+    end
+    subgraph GUI["VoIPmonitor GUI"]
+        D[Enable MS Sign-In] --> E[Enter IDs]
+        E --> F[Map Users]
+    end
+    C --> D
+</kroki>
-== Part 1: How to Register an Application in Microsoft Entra ==
+=== User Mapping Order ===
-This guide will walk you through the necessary steps to register a new application in your Microsoft Entra ID (formerly Azure Active Directory) and correctly configure it for integration with the VoIPmonitor GUI.
+When a user signs in with Microsoft, VoIPmonitor maps them to a GUI user profile in this order:
-=== 1. Sign in to the Microsoft Entra admin center ===
+# '''Direct email match''' - Username in VoIPmonitor matches Microsoft email
-Open a web browser and navigate to [https://entra.microsoft.com https://entra.microsoft.com].
+# '''Secure users list''' - Microsoft email is listed in user's "Microsoft Sign In emails" field
+# '''Default user''' - Falls back to the user marked as "Default Microsoft Sign In account"
-Sign in using an account with administrative privileges.
+== Quick Reference ==
-=== 2. Navigate to App registrations ===
+{| class="wikitable"
-In the left-hand menu, go to '''App registrations'''.
+|-
+! Parameter !! Where to Get !! Where to Enter
+|-
+| '''Client ID''' || Microsoft Entra > App registration > Overview > ''Application (client) ID'' || GUI > Settings > System configuration > Advanced
+|-
+| '''Tenant ID''' || Microsoft Entra > App registration > Overview > ''Directory (tenant) ID'' || GUI > Settings > System configuration > Advanced
+|-
+| '''Redirect URI''' || Your VoIPmonitor GUI URL || Microsoft Entra > App registration > Redirect URIs
+|}
-=== 3. New registration ===
+== Part 1: Microsoft Entra Configuration ==
-At the top of the page, click the '''+ New registration''' button.
-=== 4. Basic Application Information ===
+=== Register the Application ===
-;Name:
-:Enter a meaningful name for your application (e.g., "VoIPmonitor SSO").
-;Supported account types:
+# Go to [https://entra.microsoft.com entra.microsoft.com] > '''App registrations''' > '''+ New registration'''
-:Choose who can use the application. For internal use, the most common option is ''Accounts in this organizational directory only''.
+# Configure:
+#* '''Name:''' e.g., "VoIPmonitor SSO"
+#* '''Supported account types:''' "Accounts in this organizational directory only"
+#* '''Redirect URI - Platform:''' '''Single page application'''
+#* '''Redirect URI - URL:''' Your VoIPmonitor GUI URL
+# Click '''Register'''
+# Note the '''Application (client) ID''' and '''Directory (tenant) ID''' from the Overview page
-In the '''Redirect URI''' section, you need to select the platform type and URI.
+{{Note|1='''Redirect URI format:'''
+* Correct: <code>https://voipmonitor.example.com</code>
+* Wrong: <code>https://voipmonitor.example.com/</code> (trailing slash)
+* Wrong: <code>https://voipmonitor.example.com/admin.php</code> (page name)}}
-;Platform selection:
+=== Assign Users ===
-:Choose '''Single page application'''.
-;Redirect URIs:
+In Microsoft Entra, go to '''Users''' and add users who should have access to VoIPmonitor via Microsoft Sign-In.
-:Enter the URL where your VoIPmonitor GUI is installed.
-'''IMPORTANT:'''
+== Part 2: VoIPmonitor GUI Configuration ==
-* Do not include ''admin.php'' or ''index.php'' at the end.
-* Do not include a trailing slash (/) at the end.
-Correct format example:
+=== Enable Microsoft Sign-In ===
- https://voipmonitor.yourdomain.com
-Click the '''Register''' button at the top of the page.
+# Go to '''Settings > System configuration > Advanced'''
+# Enable '''Enable Microsoft Sign in'''
+# Enter:
+#* '''Microsoft client ID''' - from Entra
+#* '''Microsoft tenant ID''' - from Entra
+#* '''Redirect URI''' - leave empty (auto-detected)
-== Part 2: How to Assign Users to the Application ==
+=== Map Users ===
-After registering the application, you must assign the users who will be allowed to sign in.
+For each user who will use Microsoft Sign-In:
-=== 1. Navigate to Users ===
+# Go to '''Users & Audit > Users''' > edit user
-In the left-hand menu, go to '''Users'''.
+# '''Secure users''' tab > fill '''Microsoft Sign In emails''' with their Microsoft email
-=== 2. Assign Users ===
+=== Default User (Optional) ===
-Click the '''+ Add user'''.
-The wizard will guide you through adding a user.
+To set a fallback user for unmapped Microsoft accounts:
-== Part 3: VoIPmonitor GUI Configuration ==
+# Edit the desired user > '''Basic data''' tab
+# Check '''Default Microsoft Sign In account'''
-=== 1. Enable Microsoft Sign-In ===
+== Troubleshooting ==
-Navigate to '''Settings > System configuration'''.
-Scroll down to the '''Advanced''' section.
+=== SSO Fails Behind Reverse Proxy ===
-Enable the option '''Enable Microsoft Sign in'''.
+'''Symptom:''' Redirect loops or "too many redirects" errors when using AWS ALB, Nginx, or other reverse proxies with SSL termination.
-Fill in the '''Microsoft client ID''' and '''Microsoft tenant ID''' fields. Use the ''Application (client) ID'' and ''Directory (tenant) ID'' values from the Overview page of your app registration in Microsoft Entra.
+'''Cause:''' The proxy terminates HTTPS but forwards HTTP to the backend, breaking the OAuth callback flow.
-Leave the '''Redirect URI for Microsoft Sign in''' field empty. The system will automatically detect it during the sign-in process. This field is available as a fallback in case automatic detection fails.
+'''Solution:''' Pass the original protocol via <code>X-Forwarded-Proto</code> header:
-=== 2. Configure Users ===
+<syntaxhighlight lang="nginx">
-Navigate to '''Users & Audit > Users'''.
+# Nginx configuration
+proxy_set_header X-Forwarded-Proto $scheme;
+</syntaxhighlight>
-For each user who should use Microsoft Sign-In, edit their profile and go to the '''secure users''' tab. Fill in the '''Microsoft Sign In emails''' field with their corresponding Microsoft account email.
+For AWS ALB, this header is automatic but ensure intermediate proxies pass it through. See [[Nginx]] for complete configuration.
-If you want to define a default user for Microsoft Sign-In (for users who are not explicitly mapped), edit that user's profile, go to the '''basic data''' tab, and check the '''Default Microsoft Sign In account''' option.
+== See Also ==
+* [[Google_Sign_in_usage]] - Google OAuth integration
+* [[User_Management]] - User account management
+* [[WEB_API#Custom_Login|Custom Login]] - LDAP/custom authentication scripts
+== AI Summary for RAG ==
+'''Summary:''' Microsoft Sign-In (SSO) integration for VoIPmonitor GUI using Microsoft Entra ID (formerly Azure AD). Currently in development branch only. Setup requires: (1) Register application in Microsoft Entra as Single Page Application, get Client ID and Tenant ID. (2) Configure GUI in Settings > System configuration > Advanced with IDs. (3) Map users via Secure users tab or set default fallback user. User mapping order: direct email match, Secure users list, default user. Redirect URI must be exact GUI URL without trailing slash or page names. For reverse proxy setups (AWS ALB, Nginx), configure X-Forwarded-Proto header to prevent redirect loops.
+'''Keywords:''' Microsoft Sign-In, SSO, Single Sign-On, Microsoft Entra, Azure AD, Azure Active Directory, authentication, OIDC, OAuth, GUI login, enterprise authentication, tenant ID, client ID, redirect URI, user mapping, X-Forwarded-Proto, reverse proxy, AWS ALB
+'''Key Questions:'''
+* How do I enable Microsoft Sign-In in VoIPmonitor?
+* How do I configure SSO with Microsoft Entra for VoIPmonitor?
+* What is the correct Redirect URI format for Microsoft Sign-In?
+* Where do I find the Microsoft client ID and tenant ID?
+* How do I map VoIPmonitor users to Microsoft accounts?
+* Is Microsoft Sign-In available in the stable GUI version?
+* How do I set up a default user for Microsoft Sign-In?
+* Why does Microsoft Sign-In fail behind a reverse proxy?
+* What is the user mapping order for Microsoft Sign-In?