Set up SSO for Azure Entra

You can use SSO independently of SCIM by leveraging just-in-time (JIT) provisioning. If SCIM is not available, you can still enable SSO on its own. When users sign in using SSO, their account attributes are automatically imported into the enterprise web console.

Register a New Application

1. Navigate to https://entra.microsoft.com, and sign in.
2. In the left navigation menu under Identity, select Applications, then select App registrations.
3. Click New registration.
4. Enter a meaningful name for your application (for example, Backblaze App).
5. In the Supported account types field, select Accounts in this organizational directory only (Backblaze only - Single tenant).
6. In the Redirect URI field, select Web and enter https://secure.backblaze.com/api/bz_oauth_sso_callback.
   This is where Entra ID sends the authentication response (tokens) after a user signs in.
7. Click Register.
8. On the App registration Overview page, copy and save the Application (client) ID value.
   This is your application's public identifier.

Create a Client Secret

1. Sign in to your Azure Entra admin center.
2. In the left navigation menu under Identity, select Applications, then select App registrations.
3. Select your Backblaze SSO application.
4. Under Manage, click Certificates & secrets.
5. Click New client secret.
6. Enter a description, and select an expiration timeframe.
7. Click Add.
8. In the Value column, copy and save the client secret.
   You will not be able to retrieve the client secret again after you leave this page. This is your application's confidential credential.

Configure API Permissions

Applications are authorized to call APIs when users or admins grant permissions during the consent process. The app’s permission list should include everything it needs to function.

1. Sign in to your Azure Entra admin center.
2. In the left navigation menu under Identity, select Applications, then select App registrations.
3. Select your Backblaze SSO application.
4. Under Manage, click API permissions.
5. Click Add a permission.
6. Click Microsoft Graph.
7. Click Delegated permissions, and select the applicable permission types.
8. Click Add permissions.
9. Under Overview, click Endpoints.
10. Copy and save the OpenID Connect metadata document endpoint that Backblaze will use to communicate with Entra.

Configure SSO in the Backblaze Enterprise Web Console

1. Sign in to your Backblaze organization.
2. In the left navigation menu under Access Control, select Org Users.
3. Select the Identity Provider tab.
4. Click Set up SSO, and enter the following values:
   1. OIDC Issuer: Paste the OpenID Connect metadata document value that you copied in the “Configure API Permissions” task.
   2. Web Client ID: Paste the Application (client) ID value that you copied in the “Register a New Application” task.
   3. Web Client Secret: Paste the Client Secret value that you copied in the “Create a Client Secret” task.
5. Click Save.

Assign Users to SSO

1. Sign in to your Azure Entra admin center.
2. In the left navigation menu under Identity, select Applications, then select Enterprise applications.
3. Select your Backblaze SSO application.
4. Under Manage, click Users and groups.
5. Click Add user/group.
6. Click Users to open the list of available users.
7. Select the user(s) or user group(s) that you want to assign to the Backblaze SSO application.
8. Click Select.
9. Click Assign.