# Signing in with Microsoft Entra {% hint style="success" %} This document details configuring Microsoft Entra ID SAML for authentication with Dropzone. This is more advanced than using federated buttons such as "Log in with Google" and "Log in with Microsoft" but offers more customization, especially useful for customers with more than one Dropzone environment. {% endhint %} Enabling SAML with Microsoft Entra ID involves the following steps: * Creating Dropzone Role Groups in Microsoft Entra ID * Assigning users to Dropzone Role Groups * Creating the SAML application in Microsoft Entra ID * Assigning Users to the Dropzone Application * Providing your SAML IDP details to your Dropzone support representative * Updating your SAML application with details from your Dropzone support representative {% hint style="info" %} There are multiple ways you can configure Microsoft Entra ID successfully with Dropzone AI; we show a group-based version here because it maps cleanly to Entra claim conditions. As long as the values come down where we expect them, in the correct form, the "how" is up to you. {% endhint %} ## Create Dropzone Role Groups Dropzone needs to know which role a user should receive when logging into your tenant. In Microsoft Entra ID, the simplest way to do this is to create one group for each Dropzone role. To create a role group, do the following: * As an admin, in your Microsoft Entra ID [homepage](https://entra.microsoft.com/#home), navigate to Groups > All Groups

* Click "New Group"

Create groups for the Dropzone [roles](https://docs.dropzone.ai/dropzone-101/getting-started/roles-and-permissions) you plan to use. For each group, do the following: * Under "Group Type," select "Security" * Under "Group Name," name the group one of the following Role Names: | Group Purpose | Dropzone Role Value | Role Name | Permissions | | ----------------------------- | ---------------------- | -------------------- | -------------------------------------------------------------------------------------------------------- | | Administrators | `admin` | Admin | Full write access; create and update integration configuration; create response automation; manage users | | Members | `member` | Member | Minimal write access; create context memory, add investigation feedback; ask questions of the AI | | Restricted Access - Read Only | `restricted-read-only` | Restricted Read Only | Read-only access; view investigations and dashboards; no ad-hoc chat | * Under "Membership Type," select "Assigned"

For the purpose of this documentation, the "Member" group is displayed

* Under "Members," click "No members selected" * Add the users you want to receive this role, then click "Select" {% hint style="warning" %} Each Dropzone user should be assigned to exactly one Dropzone role group. If a user matches multiple claim conditions, Microsoft Entra ID evaluates the matching conditions in order, which can produce unexpected role assignments. {% endhint %}

* Click "Create" ## Create the Microsoft Entra Application * In your Microsoft Entra ID [homepage](https://entra.microsoft.com/#home), click "Enterprise Apps"

* Click "New application"

* Click "Create your own application"

* Name the application something memorable, such as Dropzone AI * Select "Integrate any other application you don't find in the gallery" * Click "Create"

{% hint style="warning" %} Dropzone AI does not support IDP-initiated login flows, so launching Dropzone directly from the Microsoft My Apps tile may not function properly. {% endhint %} * In the newly created application, navigate to Manage > Single sign-on

* Select SAML

* Click the Edit button in the "Basic SAML Configuration" section

* Under "Identifier (Entity ID)," click "Add identifier" and input your Dropzone SAMl Entity ID {% hint style="info" %} If you have not received a SAML Entity ID from Dropzone, enter a placeholder of \_\_ {% endhint %}

* Under "Reply URL (Assertion Consumer Service URL)," click "Add reply URL" and input your Dropzone SAML ACS URL {% hint style="info" %} Likely, this value is \_\_. If you have not received a SAML ACS URL from Dropzone, contact your Dropzone support representative. {% endhint %}

* Leave the other values blank * Click "Save" when done, then exit the window

* Click the Edit button in the "Attributes and Claims" section

* Click "Add new claim"

* Create claims with the following attributes, then click "Save" | Name | Namespace | Source Attribute | | -------------- | ----------- | -------------------------- | | first\_name | Leave blank | user.givenname | | last\_name | Leave blank | user.surname | | full\_name | Leave Blank | user.displayname | | dropzone\_role | Leave Blank | See below for instructions |

For the purpose of this documentation, the first_name claim has been shown

### Configure the `dropzone_role` Claim In your Entra Enterprise Application, the `dropzone_role` claim should use claim conditions to return the correct Dropzone role value based on group membership. * Name the claim "dropzone\_role" * Leave the Namespace section blank * Click "Claim Conditions" * Add a claim condition for each Dropzone role group you created earlier {% hint style="warning" %} Microsoft Entra ID evaluates claim conditions in order. If a user matches more than one condition, the condition order can affect which \`dropzone\_role\` value is returned. Make sure to add the conditions in the order shown below and assign each user to exactly one Dropzone role group to avoid unexpected role assignments. {% endhint %} | User Type | Scoped Groups | Source | Value | | --------- | ----------------------------- | --------- | -------------------- | | Members | Dropzone Restricted Read Only | Attribute | restricted-read-only | | Members | Dropzone Members | Attribute | member | | Members | Dropzone Admins | Attribute | admin | {% hint style="info" %} The Scoped Group names shown above are examples. Select the Entra groups that correspond to your Dropzone roles. {% endhint %}

* Click "Save" when done ## Assign Users to the Dropzone Application * In your Microsoft Entra ID [homepage](https://entra.microsoft.com/#home), click "Enterprise Apps" and find the application you just created * Navigate to Manage > Users and Groups

* Click "Add user/group"

* Click "Users and groups"

* Add the users and groups you want to have access, then click "Assign" ## Configure with Dropzone * Navigate back to the application * Navigate to Managers > Single-sign on * In the "SAML Certificates" section, next to "Certificate (Base64)," click "Download"

* In the "Set Up" section, copy the login URL and Microsoft Entra Identifier

Send the following values to your Dropzone support representative: | Microsoft Entra ID Value | Send to Dropzone | | -------------------------- | ----------------- | | Login URL | IDP SSO URL | | Microsoft Entra Identifier | IDP Entity ID | | Certificate (Base64) | X.509 Certificate | ### Update Your SAML Application Once you have provided this information to Dropzone (if we have not already), Dropzone will enable SAML and provide you two values to add to the "Basic SAML Configuration" section of your SAML app. * Navigate back to your Enterprise Application * Navigate to Manage > Single sign-on * In the Basic SAMl Configuration section, click "Edit" and input the following: * ACS URL - paste this into the "Reply URL (Assertion Consumer Service URL)" field * Entity ID - paste this into the "Identifier (Entity ID)" field * Click "Save" {% hint style="info" %} Only proceed with this step if you did not receive an ACS URL or Entity ID to begin with. {% endhint %} ## Advanced Microsoft Entra ID Microsoft Entra ID has multiple ways to manage group membership and claim values. You may use dynamic groups, existing access groups, or other identity governance workflows if they produce the expected `dropzone_role` SAML claim. {% hint style="warning" %} This section is here as a reference, not a requirement. Use whatever method you're most comfortable with that balances your administration duties and meets your security standards. {% endhint %} The values `admin`, `member`, and `restricted-read-only` must match exactly the values we expect, however the groups can be anything that matches your internal naming standards. If you have any errors or questions, engage your Dropzone AI support representative. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.dropzone.ai/dropzone-101/getting-started/accessing-tenants/managing-users/microsoft-entra-saml.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.