search
Ctrlk
WebsiteTest DriveStatus

Signing in with Microsoft Entra

circle-check

This document details configuring Microsoft Entra ID SAML for authentication with Dropzone. This is more advanced than using federated buttons such as "Log in with Google" and "Log in with Microsoft" but offers more customization, especially useful for customers with more than one Dropzone environment.

Enabling SAML with Microsoft Entra ID involves the following steps:

  • Creating Dropzone Role Groups in Microsoft Entra ID

  • Assigning users to Dropzone Role Groups

  • Creating the SAML application in Microsoft Entra ID

  • Assigning Users to the Dropzone Application

  • Providing your SAML IDP details to your Dropzone support representative

  • Updating your SAML application with details from your Dropzone support representative

circle-info

There are multiple ways you can configure Microsoft Entra ID successfully with Dropzone AI; we show a group-based version here because it maps cleanly to Entra claim conditions.

As long as the values come down where we expect them, in the correct form, the "how" is up to you.

hashtag
Create Dropzone Role Groups

Dropzone needs to know which role a user should receive when logging into your tenant. In Microsoft Entra ID, the simplest way to do this is to create one group for each Dropzone role.

To create a role group, do the following:

Click All Groups

  • Click "New Group"

Create groups for the Dropzone rolesarrow-up-right you plan to use. For each group, do the following:

  • Under "Group Type," select "Security"

  • Under "Group Name," name the group one of the following Role Names:

Group Purpose
Dropzone Role Value
Role Name
Permissions

Administrators

admin

Admin

Full write access; create and update integration configuration; create response automation; manage users

Members

member

Member

Minimal write access; create context memory, add investigation feedback; ask questions of the AI

Restricted Access - Read Only

restricted-read-only

Restricted Read Only

Read-only access; view investigations and dashboards; no ad-hoc chat

  • Under "Membership Type," select "Assigned"

For the purpose of this documentation, the "Member" group is displayed

  • Under "Members," click "No members selected"

  • Add the users you want to receive this role, then click "Select"

circle-exclamation

Each Dropzone user should be assigned to exactly one Dropzone role group. If a user matches multiple claim conditions, Microsoft Entra ID evaluates the matching conditions in order, which can produce unexpected role assignments.

  • Click "Create"

hashtag
Create the Microsoft Entra Application

  • Click "New application"

  • Click "Create your own application"

  • Name the application something memorable, such as Dropzone AI

  • Select "Integrate any other application you don't find in the gallery"

  • Click "Create"

Create the application
circle-exclamation

Dropzone AI does not support IDP-initiated login flows, so launching Dropzone directly from the Microsoft My Apps tile may not function properly.

  • In the newly created application, navigate to Manage > Single sign-on

Click Single sign-on

  • Select SAML

  • Click the Edit button in the "Basic SAML Configuration" section

  • Under "Identifier (Entity ID)," click "Add identifier" and input your Dropzone SAMl Entity ID

circle-info

If you have not received a SAML Entity ID from Dropzone, enter a placeholder of _https://login.dropzone.ai/samlv2/sp/00000000-0000-0000-0000-000000000000_

Input your Dropzone SAML Entity ID

  • Under "Reply URL (Assertion Consumer Service URL)," click "Add reply URL" and input your Dropzone SAML ACS URL

circle-info

Likely, this value is _https://login.dropzone.ai/samlv2/acs_. If you have not received a SAML ACS URL from Dropzone, contact your Dropzone support representative.

Input your Dropzone SAML ACS URL

  • Leave the other values blank

  • Click "Save" when done, then exit the window

  • Click the Edit button in the "Attributes and Claims" section

Edit Attributes and Claims

  • Click "Add new claim"

  • Create claims with the following attributes, then click "Save"

Name
Namespace
Source Attribute

first_name

Leave blank

user.givenname

last_name

Leave blank

user.surname

full_name

Leave Blank

user.displayname

dropzone_role

Leave Blank

See below for instructions

For the purpose of this documentation, the first_name claim has been shown

hashtag
Configure the dropzone_role Claim

In your Entra Enterprise Application, the dropzone_role claim should use claim conditions to return the correct Dropzone role value based on group membership.

  • Name the claim "dropzone_role"

  • Leave the Namespace section blank

  • Click "Claim Conditions"

  • Add a claim condition for each Dropzone role group you created earlier

circle-exclamation

Microsoft Entra ID evaluates claim conditions in order. If a user matches more than one condition, the condition order can affect which `dropzone_role` value is returned.

Make sure to add the conditions in the order shown below and assign each user to exactly one Dropzone role group to avoid unexpected role assignments.

User Type
Scoped Groups
Source
Value

Members

Dropzone Restricted Read Only

Attribute

restricted-read-only

Members

Dropzone Members

Attribute

member

Members

Dropzone Admins

Attribute

admin

circle-info

The Scoped Group names shown above are examples. Select the Entra groups that correspond to your Dropzone roles.

Configure the `dropzone_role` claim

  • Click "Save" when done

hashtag
Assign Users to the Dropzone Application

  • In your Microsoft Entra ID homepagearrow-up-right, click "Enterprise Apps" and find the application you just created

  • Navigate to Manage > Users and Groups

  • Click "Add user/group"

  • Click "Users and groups"

  • Add the users and groups you want to have access, then click "Assign"

hashtag
Configure with Dropzone

  • Navigate back to the application

  • Navigate to Managers > Single-sign on

  • In the "SAML Certificates" section, next to "Certificate (Base64)," click "Download"

  • In the "Set Up" section, copy the login URL and Microsoft Entra Identifier

Send the following values to your Dropzone support representative:

Microsoft Entra ID Value
Send to Dropzone

Login URL

IDP SSO URL

Microsoft Entra Identifier

IDP Entity ID

Certificate (Base64)

X.509 Certificate

hashtag
Update Your SAML Application

Once you have provided this information to Dropzone (if we have not already), Dropzone will enable SAML and provide you two values to add to the "Basic SAML Configuration" section of your SAML app.

  • Navigate back to your Enterprise Application

  • Navigate to Manage > Single sign-on

  • In the Basic SAMl Configuration section, click "Edit" and input the following:

    • ACS URL - paste this into the "Reply URL (Assertion Consumer Service URL)" field

    • Entity ID - paste this into the "Identifier (Entity ID)" field

  • Click "Save"

circle-info

Only proceed with this step if you did not receive an ACS URL or Entity ID to begin with.

hashtag
Advanced Microsoft Entra ID

Microsoft Entra ID has multiple ways to manage group membership and claim values. You may use dynamic groups, existing access groups, or other identity governance workflows if they produce the expected dropzone_role SAML claim.

circle-exclamation

This section is here as a reference, not a requirement. Use whatever method you're most comfortable with that balances your administration duties and meets your security standards.

The values admin, member, and restricted-read-only must match exactly the values we expect, however the groups can be anything that matches your internal naming standards.

If you have any errors or questions, engage your Dropzone AI support representative.

PreviousSigning in with Google WorkspaceNextRoles and Permissions

Last updated

Was this helpful?