Microsoft Entra ID (Azure AD) SSO

Federate sign-in with Microsoft Entra ID so your users log into TraffiTech-powered apps with their existing Microsoft credentials.

Prerequisites

Before you start, note the following:

• The Redirect URI to register in your Azure app registration is the same for every IdP:

  https://oidc.traffitech.com/interaction/federated/callback

• Your TraffiTech administrator will register the IdP on the TraffiTech side once you've finished the Azure portal steps and handed over the credentials.

You'll finish the Azure portal work first, hand the resulting credentials to your administrator, and they'll complete the registration.

Step 1: Create an App Registration

1. Open the Microsoft Entra admin center and expand Entra ID in the left sidebar, then select App registrations.
   • (Alternative: in the Azure Portal, go to Microsoft Entra ID → Manage → App registrations.)
2. Click + New registration.
3. Fill in the registration form:
   • Name: TraffiTech SSO (or similar)
   • Supported account types: choose based on your organization's needs:
     • Single tenant - only users from your organization (most common)
     • Multi-tenant - users from any Azure AD organization
     • Multi-tenant + personal accounts - includes Microsoft personal accounts
   • Redirect URI:

     • Platform: Web

     • URI:

       https://oidc.traffitech.com/interaction/federated/callback

4. Click Register.

Step 2: Collect credentials

From the app registration's Overview page, copy:

• Application (client) ID - your client_id
• Directory (tenant) ID - your tenant_id

The OIDC discovery URL for your tenant is:

https://login.microsoftonline.com/{tenant_id}/v2.0/.well-known/openid-configuration

Step 3: Create a client secret

1. Go to Certificates & secrets → Client secrets → New client secret.
2. Enter a description (e.g. TraffiTech SSO client secret) and an expiration.
3. Click Add.
4. Copy the Value immediately - this is your client_secret and Azure will not show it again.

warning

Copy the Value, not the Secret ID. If you close the page without copying, you have to create a new secret.

Step 4: Configure API permissions

1. Go to API permissions → Add a permission.
2. Select Microsoft Graph → Delegated permissions.
3. Add these permissions:
   • openid
   • profile
   • email
4. Click Add permissions.
5. Grant admin consent is optional for most tenants - these scopes are user-consentable, so each user will be prompted on first sign-in. Only click it if your organization disables user consent, or to skip the one-time prompt.

Step 5: Hand off to your TraffiTech administrator

Give your administrator:

• Tenant ID (Directory ID)
• Client ID (Application ID)
• Client Secret (the Value from Step 3)
• The list of email domains that should auto-route to Microsoft sign-in on the TraffiTech login page (e.g. yourcompany.com, yourcompany.onmicrosoft.com)

Your administrator completes the registration on the TraffiTech side and confirms when SSO is live.

Step 6: Test

TraffiTech's login form uses an identifier-first flow with Home Realm Discovery (HRD): you enter your email, and if the domain is registered to an enterprise IdP, TraffiTech redirects you to that IdP automatically.

Once your administrator confirms, test sign-in:

1. Visit the TraffiTech login page.
2. Enter your work email (e.g. user@yourcompany.com) and click Continue.
3. If your email domain is registered for this IdP, TraffiTech redirects you straight to Microsoft sign-in.
4. Authenticate with your Microsoft account.
5. You should be redirected back to the TraffiTech app and signed in.

Troubleshooting

Error	Likely cause	Fix
AADSTS50011: The redirect URI specified in the request does not match	Redirect URI in Azure doesn't match what TraffiTech sends	Verify it matches exactly - including trailing slashes. Azure is strict.
AADSTS700016: Application not found	client_id doesn't match the Application ID	Re-copy the Application (client) ID from the Overview page
AADSTS7000215: Invalid client secret	Secret expired, was copied incorrectly, or the Secret ID was used instead of the Value	Create a new client secret and send the new Value to your administrator

Next steps

• Auto-provision users with SCIM → Set up Microsoft Entra ID for SCIM provisioning. Once SSO is working, you can have Entra ID push users into TraffiTech on a schedule so new hires and leavers are synced automatically.