How can I use Microsoft Entra ID as an SSO provider for PRTG?

This article applies as of PRTG 21


For the integration to work seamlessly, follow the steps in this article. For more information, see the PRTG Manual: Single Sign-On.


Overview of the process:

  • Step 1: Configure Microsoft Entra ID
  • Step 2: Configure SSO in PRTG
  • Step 3: Add a user group in PRTG


1. Configure Microsoft Entra ID

Follow these steps to configure Entra ID to work as SSO provider in PRTG.

  • Step 1.1: Register your app
  • Step 1.2: Create a client secret
  • Step 1.3: Add a redirect URI
  • Step 1.4: Create a groups claim
  • Step 1.5: Add a scope
  • Step 1.6: Edit Microsoft Graph app manifest

1.1 Register your app

  1. Follow the Microsoft documentation on How to register an application in Microsoft Entra ID.
  2. During the registration, use the following setting:
    • In Supported account types, select Accounts in this organizational directory only.
  3. Immediately after the registration, copy and save the following values. You need them to configure the SSO in PRTG:
    • Application (client) ID
    • Directory (tenant) ID


1.2 Create a client secret

  1. Open your newly created app and follow the Microsoft documentation on how to add a client secret.
  2. Copy and save the secret value immediately after creation. It will not be visible again after you leave the page.


1.3 Add a redirect URI

  1. In your app, go to the Authentication tab, and follow the Microsoft documentation on how to add a redirect URI to your application.
  2. The settings that you must use:
    • In Configure Platforms, select Web.
    • In Redirect URIs, use the format https://IP address or DNS name:port/cb. For example, https://192.0.2.0:443/cb.
      Note: Make sure to add redirect URIs for the ports that PRTG uses, namely port 443 (default), port 8443 (fallback). If both 443 and 8443 are not available, PRTG sends a ticket that shows you the currently used port number. Add a redirect URI for this port until PRTG can switch back to 443 as soon as it is available again.

1.4 Add a groups claim

 1. Go to the Token Configuration tab.

 Token Configuration Tab



 2. Click Add groups claim.

 3. In Select group types to include in Access, ID, and SAML token, select Security groups and Directory roles.

Add Groups Claim

 4. Click Add to save the new groups claim.

Note: In large organizations, the number of groups where a user is a member might exceed the limit that Microsoft Entra ID will add to a token. For workarounds to these limits, see Important caveats for this functionality.


1.5 Add a scope

  1. Follow the steps in Microsoft documentation: Configure an application to expose a web API.
    • In Expose an API, click Add scope, fill in the mandatory values, and enable the scope.
  2. If you exposed the scope successfully, it is visible on the Expose an API tab of your app.


1.6 Edit Microsoft Graph app manifest

For details about Microsoft Graph app manifest, see Microsoft Documentation: Understanding the app manifest (Microsoft Graph format).

  1. In your app, go to the Manifest tab.
  2. On the Microsoft Graph App Manifest (New) tab, find requestedAccessTokenVersion and change its value from 0 to 2.
    Note: If you need to use AAD Graph App Manifest, find accessTokenAcceptedVersion and change its value from 0 to 2.

You have now successfully configured Microsoft Entra ID.


2. Configure SSO in PRTG

Important: Make sure that PRTG uses a connection that is encryped via SSL. For more information, see PRTG Manual: PRTG Administration Tool on Core Server System.


To configure SSO in PRTG, perform the following steps:

  1. Log in to the PRTG web interface.
  2. Go to Setup | System Administration | Single Sign-On.
  3. Under SSO Login, select Enable.
     
  4. In Provider, select Microsoft Entra ID.
  5. In Configuration Endpoint, enter the configuration endpoint URL in the following format: https://login.microsoftonline.com/<tenant-ID>/v2.0/.well-known/openid-configuration.

    Note: Replace <tenant-ID> with your directory (tenant) ID from Step 1.1.
  6. Click Load Configuration. This automatically fills in the values in the next four fields.
    Note: If this does not work, enter the values manually as follows. Also, make sure to replace <tenant-ID> with your directory (tenant) ID from Step 1.1.
    • AuthorizationEndpoint: https://login.microsoftonline.com/<tenant-ID>/oauth2/v2.0/authorize
    • Token Endpoint: https://login.microsoftonline.com/<tenant-ID>/oauth2/v2.0/token
    • JSON Web Key Set (JWKS) URI: https://login.microsoftonline.com/<tenant-ID>/discovery/v2.0/keys
    • Issuer: https://login.microsoftonline.com/<tenant-ID>/v2.0
  7. In Scope, enter the scope name from Step 1.5.
  8. In ClientID, enter the application (client) ID from Step 1.1.
  9. In Client Secret, enter the client secret from Step 1.2.
  10. In Available Callback URLs, select the URLs that your users will use to log in to PRTG. You will need to add these to the Entra ID app you configured in Step 1.3. Example: https://myprtg.domain.com/cb/
  11. If the URL your users use to log in to PRTG is not listed because PRTG is reachable via a different URL (for example, myPRTG.example.com for login but PRTG lists myPRTG.internal.example.com), you can use the option Manually enter a URL. PRTG still lists all available endpoints if needed for forwarding. You then need to add the URL to the Entra ID app you configured in Step 1.3.
    Note: Entra ID and PRTG both check whether or not the callback URLs are allowed. Make sure you configure each required URL on both ends; otherwise, you will not be able to log in.

You have now configured SSO in PRTG.


3. Add a user group in PRTG

Now that you have configured SSO, perform the following steps to add a new user group in PRTG:

  1. Log in to the PRTG web interface.
  2. Go to Setup | System Administration | User Groups.
  3. Hover over the blue + button and select Add User Group.
     
    • In User Group Name, give the group a meaningful name, for example Microsoft Entra ID SSO.
    • In Active Directory or Single Sign-On Integration, select Use single sign-on integration.
    • In SSO Group Access Claim, enter the groups claim that you created in Step 1.4.
      Note: For claims, you can use Entra ID group IDs. To find a group ID, open the Azure portal and select the Groups tab. It displays a list of all groups and their object IDs. Find the object ID you need and enter it under SSO Group Claim. Alternatively, you can use the API name you previously configured.

You have now successfully integrated Entra ID as an SSO provider in PRTG.