# Configuring SSO: Azure Active Directory > This page describes how to enable the Azure Active Directory (Azure AD) integration at the host level so that all users of Orchestrator can benefit from SSO. This page describes how to enable the Azure Active Directory (Azure AD) integration at the host level so that all users of Orchestrator can benefit from SSO. :::note **Host-level versus organization-level integration** If you enable the Azure AD integration at the host level, as described on this page, you cannot enable it at the [organization/tenant level](https://docs.uipath.com/orchestrator/standalone/2024.10/user-guide/azure-ad-integration#setting-up-the-azure-ad-integration). The integration at the host level only enables SSO. But if enabled at the organization/tenant level, the integration allows for SSO, but also for directory search and automatic user provisioning. ::: ## Prerequisites To set up the Microsoft Entra ID integration, you need: * admin permissions in both Orchestrator and Microsoft Entra ID (if you don't have admin permissions in Azure, collaborate with a Microsoft Entra ID administrator to complete the setup process); * an organization administrator UiPath account that uses the same email address as a Microsoft Entra ID user; the Microsoft Entra ID user does not require admin permissions in Azure; * UiPath Studio and Assistant version 2020.10.3 or later; * UiPath Studio and Assistant to use the [recommended deployment](https://docs.uipath.com/robot/standalone/2021.10/user-guide/setting-up-interactive-sign-in#using-modern-folders) . * if you previously used local user accounts, make sure that all your Microsoft Entra ID users have the email address in the **Mail** field; having the email address in the User Principle Name (UPN) field alone is not enough. The Microsoft Entra ID integration links directory user accounts with the local user accounts if the email addresses match. This allows users to retain permissions when they transition from signing in with their local user account to the Microsoft Entra ID directory user account. ## Step 1. Create a Microsoft Entra ID App Registration :::note The following steps are a broad description of a **sample configuration**. For more detailed instructions, refer to the [Microsoft documentation](https://docs.microsoft.com/en-us/azure/app-service/configure-authentication-provider-aad) for configuring Microsoft Entra ID as an authentication provider. ::: 1. Log in to the Azure portal as an administrator. 2. Go to [App Registrations](https://portal.azure.com/#blade/Microsoft_AAD_RegisteredApps/ApplicationsListBlade), and select **New Registration**. 3. In the **Register an application** page, fill in the **Name** field with a name for your Orchestrator instance. 4. In the **Supported account types** section, select **Accounts in this organizational directory only**. 5. Set the **Redirect URI** by selecting **Web** from the drop-down list and filling in the URL of your Orchestrator instance, plus the suffix `/identity/azure-signin-oidc`. For example, `https://baseURL/identity/azure-signin-oidc`. 6. At the bottom, select the **ID tokens** checkbox. 7. Select **Register** to create the app registration for Orchestrator. 8. Save the **Application (Client) ID** to use it later. ## Step 2. Configure Microsoft Entra ID SSO 1. Log in to the [Management portal](https://docs.uipath.com/orchestrator/standalone/2024.10/user-guide/about-the-host-level#host-management-portal) as a system administrator. 2. Select **Security**. 3. Select **Configure** under **Microsoft Entra ID SSO**. * If you want to only allow logging in to Orchestrator using Microsoft Entra ID, select the **Force automatic login using this provider** checkbox. * Fill in the **Display Name** field with the label you want to use for the AzureAD button on the Login page. * In the **Client ID** field, paste the value of the **Application (Client) ID** obtained from the Azure portal. * (Optional) In the **Client Secret** field, paste the value obtained from the Azure portal. * Set the **Authority** parameter to one of the following values: + `https://login.microsoftonline.com/`, where <tenant> is the tenant ID of the Microsoft Entra ID tenant or a domain associated with this Microsoft Entra ID tenant. Used only to sign in users of a specific organization. + `https://login.microsoftonline.com/common`. Used to sign in users with work and school accounts or personal Microsoft accounts. * (Optional) In the **Logout URL**, paste the value obtained from the Azure portal. 4. Select **Save** to save the changes to the external identity provider settings. The page closes and you return to the **Security Settings** page. 5. Select the toggle to the left of **SAML SSO** to enable the integration. 6. Restart the IIS site. This is required after making any changes to External Providers. ## Step 3. Allow Microsoft Entra ID SSO for the Organization Now that Orchestrator is integrated with Microsoft Entra ID Sign-In, user accounts that have a valid Microsoft Entra ID email address can use the **Microsoft Entra ID** SSO option on the **Login** page to sign in to Orchestrator. Each administrator must do this for their organization/tenant if they want to allow login with Microsoft Entra ID SSO. !['Azure AD SSO option' image](https://dev-assets.cms.uipath.com/assets/images/orchestrator/orchestrator-azure-ad-sso-option-image-227219-45b6f2c6.webp) 1. Log in to Orchestrator as an administrator. 2. Add local user accounts for your users, each with a valid Microsoft Entra ID email address.