Microsoft Single Sign-On (SSO)

Donny K.
Donny K.
  • Updated

Overview: What are we talking about?

Gingr now offers Microsoft Single Sign-On to allow employees to use their Microsoft account to sign into Gingr! This article will go over how to enable Microsoft Single Sign-On (SSO) for users, how to use it, as well as some troubleshooting tips for certain users.

 

Helpful Hints: Before you begin. 

  • Important! The user's email used to log into Microsoft must match their email in Gingr to log in correctly.
  • Your user group must have the Can Login With Microsoft permission to sign in with Microsoft SSO.
  • Microsoft SSO is configured to work with both personal Microsoft accounts as well as organizational accounts.
  • If you, or your organization, has implemented Multi-Factored Authentication on your Microsoft account, you must complete them as part of the login process into Microsoft for authentication.

 

How to: Enable Microsoft SSO for User Groups

This section will walk you through how to enable the Can Login With Microsoft permission for selected user groups so that those users can log in with Microsoft!

  1. Navigate to Left-hand Navigation: Reports & More ยป Groups >> App Permissions.
  2. Navigate to Employee & Schedule Management permission section.
  3. Enable the Can Login with Microsoft permission for all desired user groups.

 

How to: How to use Microsoft SSO to sign into Gingr

To sign into Gingr using Microsoft SSO, simply click on the Microsoft Sign In button on the login screen. When this occurs, you will be routed to Microsoft's login page. Here you will sign into your Microsoft account normally. When you sign into Microsoft successfully,the authentication process will continue and you will be logged into Gingr. 

 

Important! On your first sign-in attempt, you will be asked to accept permissions from the gingr-businessportal-oauth to read your basic user profile details from Microsoft.

Microsoft_SSO_Permission.png

Accepting this permission will allow Gingr to access your certain basic profile details in read-only mode and is required to authenticate your Microsoft account with our business portal. After accepting, the authentication process will continue and you will be logged into Gingr!

 

How to: How to allow Read.User Graph API on your tenant (For Organizations)

While the Microsoft Graph's Read.User API endpoint is classified as a low-risk permission by default, your organization might have changed this. In order to use Gingr's SSO, users will need to have this permission on. To do this, please refer to the steps below. If you are a regular user, you will likely need the help of your organization's IT team to review and implement this!

To configure permission classifications, you need:

  • An Azure account with an active subscription.
  • One of the following roles: Global Administrator, Application Administrator, or Cloud Application Administrator

Follow these steps to classify permissions using the Microsoft Entra admin center:

  • Sign in to the Microsoft Entra admin center as at least a Cloud Application Administrator.
  • Browse to Identity > Applications > Enterprise applications > Consent and permissions > Permission classifications.
  • Choose the tab for the permission classification you'd like to update. (For this, it would be low risk)
  • Choose Add permissions to classify another permission.
  • Select the Microsoft Graph API and then select the User.Read delegated permission. 

FAQ: Check this out!

  • Why does Gingr say that I do not have permission to log in with Microsoft?
  • Why does Gingr say that my email address does not match any user account in Gingr?
  • Why can I not accept the permission for gingr-businessportal-oauth?

 

Q: Why does Gingr say that I do not have permission to log in with Microsoft?

A: This error message displays when the user group that the user is assigned to does not have the Can Login With Microsoft permission in Gingr to log in with Microsoft SSO.

 

Q: Why does Gingr say that my email address does not match any user account in Gingr?

A: This error message displays when the email address associated with your Microsoft account does not match any active user's email in Gingr. Please ensure that the email associated with your user profile in Gingr matches the email of the account you signed in with Microsoft.

 

Q: Why can I not accept the permission for gingr-businessportal-oauth?

A: This is most likely to happen when trying to use your organization's Microsoft account. It could be likely that your organization does not allow its users to accept the permission. If this happens, please contact your organization's IT Support and see if they can accept the permission by attempting to log in. Organizations can also add the User.Read Micrsoft Graph API to the user permissions here. This endpoint is usually included in the default settings and is one of the least privileged calls for authentication.

If they have any questions or concerns, please reach out to Support so that they can get in touch with the product team!

Was this article helpful?

0 out of 0 found this helpful

Have more questions? Submit a request

Comments

0 comments

Article is closed for comments.