Microsoft Integration Setup
This guide walks you through setting up SAML 2.0 Single Sign-On (SSO) between Microsoft Entra ID (formerly Azure Active Directory) and ComplyFirst. Once completed, chosen users in your Microsoft directory will be able to log in to Complyfirst using their Microsoft SSO credentials.
Create a new Enterprise Application in Microsoft
- Log in to Micosoft Entra ID as an admin
- Navigate to Entra ID → Enterprise apps
- Click New Application, then Create your own application
- Enter a name for the application and select "Integrate any other application you don't find in the gallery (Non-gallery)"
- Click Create
Configure SAML Single Sign-On
- In your new enterprise application, go to Single sign-on in the left menu
- Select SAML as the single sign-on method
- In Section 1 - Basic SAML Configuration, click Edit and enter:
- Identifier (Entity ID) - https://app.complyfirst.co/auth/saml2
- Reply URL (ACS URL) - https://app.complyfirst.co/auth/saml2/callback
- Leave the rest empty and click Save
Verify Attributes & Claims
- In Section 2 - Attributes & Claims, click Edit and verify the following claims are configured:
- Claim: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress Attribute: user.mail or user.userprincipalname
- Claim: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname Attribute: user.givenname
- Claim: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname Attribute: user.surname
Note: The email claim is required for ComplyFirst to identify users. If this claim is not configured, the system will fall back to using the NameID value.
If the emailaddress claim is missing
- If the emailaddress claim is missing, click Add New Claim and enter the following:
- Name: emailaddress
- Namespace: http://schemas.xmlsoap.org/ws/2005/05/identity/claims
- Source attribute: user.mail (or user.userprincipalname if user.mail is not populated)
- Click Save
Copy the Federation Metadata URL
- In Section 3 - SAML Certificates, locate the App Federation Metadata Url
- The URL will look like: https://login.microsoftonline.com/{tenant-id}/federationmetadata/2007-06/federationmetadata.xml?appid={app-id}
- Copy this URL for later
Assign Users to the Application
- In the enterprise application, go to Users and groups
- Click Add user/group
- Select the users or groups who should have access to ComplyFirst
- Click Assign
Important: Users who are not assigned to the application will receive an error when attempting to sign in: "AADSTS50105: Your administrator has not assigned you a role for this application."
Configure Complyfirst
- Log in to Complyfirst as an admin
- Navigate to Settings > Integrations
- Find Microsoft SAML and click Configure
- Enter the Federation Metadata URL you copied from step 5
- Click Save
Enforce Multi-Factor Authentication (optional)
- In the Enterprise apps section of the Microsoft Entra admin center, navigate to Security > Conditional Access
- Click Create new policy
- Configure:
- Name: Require MFA for Complyfirst
- Users: Select the users or groups who access Complyfirst
- Target resources > Cloud apps: Select your Complyfirst enterprise application
- Grant: Select Require multifactor authentication
- Set the policy to On and click Create
Troubleshooting
If you have followed these steps and are still unable to connect Complyfirst to Microsoft, please reach out to our team.