> ## Documentation Index
> Fetch the complete documentation index at: https://playerzero.ai/docs/llms.txt
> Use this file to discover all available pages before exploring further.

# Microsoft Entra SSO Setup

> Connect Microsoft Entra ID (Azure AD) to PlayerZero using OpenID Connect (OIDC) with the authorization code flow.

<Note>Organization **Owner** access is required in PlayerZero to configure SSO. **Entra ID administrator** access is required in Azure to create the app registration and adjust settings.</Note>

## Overview

This guide walks you through creating a Microsoft Entra app registration and wiring it to PlayerZero. We use the **OIDC Authorization Code** flow with **PKCE**. PlayerZero only requests standard OIDC claims.

***

## Prerequisites

* A PlayerZero organization where you are an **Owner**
* Admin access to **Azure Portal** for your tenant
* PlayerZero redirect URL: `https://playerzero.ai/api/auth/sso`

***

## Multi-Tenant SSO

If your organization uses multiple email domains, each domain requires its **own SSO configuration** in PlayerZero.

You may reuse the same Entra app registration for all domains if you choose. For each domain:

* Sign in to PlayerZero **using an account from that domain**
* Create a new SSO configuration starting at **Step 3 — Configure PlayerZero**

PlayerZero will simply have **one SSO configuration per domain**, regardless of how you organize Entra (single app or multiple apps).

## Step 1 — Create the App Registration in Entra

1. Select `Single Tenant` account type
2. Add as Web registration using the redirect URL:
   * `https://playerzero.ai/api/auth/sso`
3. Create and store a Client Secret.

***

## Step 2 — API Permissions (OpenID Connect)

1. In the app registration, open **API permissions** → **Add a permission** → **Microsoft Graph** → **Delegated permissions**.
2. Add these scopes:
   * `openid`
   * `profile`
   * `email`
   * `offline_access`
3. **Grant admin consent** for your tenant.

***

## Step 3 — Configure PlayerZero

1. In PlayerZero, open **Settings → SSO Configuration → Add SSO Configuration**.
2. Fill in: `Fetch SSO config from well-known endpoint` with your `OpenID Connect metadata document` endpoint.
3. Click **Fetch from Well-Known** (PlayerZero will query: `https://login.microsoftonline.com/<Directory (tenant) ID>/v2.0/.well-known/openid-configuration`)
4. Verify your organization's domain and other autofilled settings.
5. Enter your `Client ID` and `Client Secret Value`.
6. Add the `openid profile email offline_access` scopes.
7. Toggle on `Use PKCE (Proof Key for Code Exchange)`.

***

## Step 4 — Test the Connection

1. In PlayerZero **SSO Configuration**, click **Test Connection**.
2. Complete the Microsoft sign-in in the popup.
3. On success, click **Save Configuration**.

***

## Next Steps — Rollout & User Impact

Once SSO is **saved and enabled**, PlayerZero will **invalidate existing sessions**:

* **All users will be logged out** of PlayerZero.
* When users log back in through SSO, they will be able to access all previous work. No data will be lost in the transition.