New!
A new way to tell stories with video highlights and transcription
Learn more →

Configure Azure Active Directory SSO

Users can authenticate to Dovetail using Azure Active Directory SSO.

How to setup SSO with Azure Active Directory

Customers on the Enterprise workspace can setup single-sign on (SSO) with Azure Active Directory.

Create a new application in Azure

  1. Sign in to the Azure Portal.
  2. If you have access to more than one tenant, select the tenant you want to use for Dovetail SSO in the top-right corner.
  3. Search for and select Azure Active Directory.
  4. Under Manage, click App registrations.
  5. Click New registration.
  6. Enter a meaningful application name to display to users.
  7. Under Supported account types select Accounts in this organizational directory only.
  8. Under Redirect URL select Web and enter https://dovetailapp.com/users/oauth2/callback.
  9. Click Register.
  10. Note the application’s Application (client) ID and Directory (tenant) ID as these will be used to configure Dovetail.
  11. Under Manage click Certificates & secrets.
  12. Under Client secrets click New client secret.
  13. Select when you want the secret to expire. Note that Dovetail SSO will stop working if you don’t create a new secret before the old one expires.
  14. Note the Secret value as this will be used to configure Dovetail.

Using the Azure application’s Application (client) ID as the Client ID and Secret value as the Client secret you can setup OpenID Connect SSO. In the Discovery URL input, enter https://login.microsoftonline.com/TENANT/v2.0/.well-known/openid-configuration where TENANT is the application’s Directory (tenant) ID.

Troubleshooting

On trying to log-in to Dovetail the SSO pop-up shows a “Need admin approval” error message

This occurs when your Azure tenant is configured to disable end-user consent to applications, i.e. only admins can give permission to applications to access data.

To allow non-Azure-admins to log in to Dovetail via SSO, an Azure admin will need to give the application permission to read data on behalf of all other users. You can do this by following these steps:

  1. Sign in to the Azure Portal.
  2. Select Azure Active Directory.
  3. In the sidebar under Manage, select App registrations.
  4. Select the Dovetail application you created.
  5. In the sidebar under Manage, select API permissions.
  6. The table that appears should contain one permission: User.Read. We need this to determine users’ email addresses to send notifications, and their names to give them a recognizable name in Dovetail.
  7. If the table doesn’t contain the User.Read permission:

    1. Click Add a permission.
    2. Click Microsoft Graph.
    3. Click Delegated permissions.
    4. Expand User and check User.Read.
    5. Click Add permissions.
  8. Click Grant admin consent for (YOUR TENANT).
  9. Click Yes in the dialog that appears.

Non-Azure-admin users should now be able to log in to Dovetail via Azure SSO.

2 minute read
Updated 2 Jul 2020

Authors

Chris Doble

Contact us

Can’t find your answer here? Get in touch with our support team.

Get in touch →

Slack

Join our Slack community to chat with us and hundreds of Dovetail users.

Join our Slack →

Twitter

Follow us for research and design articles, product updates, and more.

Follow us →

Try now for free

Try free for 7 days

Trusted by companies likeSee all →

shopify.comsquare.comsketch.comgitlab.comvmware.com

Product

Data analysisResearch repositoryCollaborative researchVideo and transcriptionCustomersIntegrationsPricing

© Dovetail Research Pty. Ltd.

Made in Australia