Articles on: Schools & enterprise plans

Set up Microsoft Entra ID single sign-on (OIDC) for SimplyPrint

Set up Microsoft Entra ID single sign-on (OIDC) for SimplyPrint


This guide walks you through connecting Microsoft Entra ID (formerly Azure AD) to SimplyPrint over OpenID Connect (OIDC), so members of your account can sign in with their work or school Microsoft accounts. You'll register an app in Entra, then paste a few values into SimplyPrint using the built-in Microsoft Entra preset.


OIDC single sign-on needs the single sign-on (SSO) feature, which is part of the Enterprise plan and the School plan. Print Farm subscribers from before 2026-05-15 keep it through grandfathering. You can compare plans on the pricing page.


This is one of the per-provider guides in our OIDC single sign-on overview. If you use Okta or Google Workspace instead, see those guides, or the SAML single sign-on hub for the SAML protocol.


Before you start

A few things to have ready:


  • You need to be an account admin with the user registration settings permission in SimplyPrint.
  • You need to be able to create an app registration in your Microsoft Entra tenant (at least the Application Developer role in Entra).
  • An account runs one SSO method at a time, either SAML or OIDC, not both. Turning on OIDC deactivates SAML if it was active, but keeps its saved configuration for later.


Keep the SimplyPrint settings page open in one tab and the Microsoft Entra admin center in another. You'll copy a value back and forth between them.


Open the OIDC settings in SimplyPrint

Start in SimplyPrint so you have the redirect URI ready to paste into Entra.

  1. Go to Settings, then Organization, and open User registration & SSO.
  2. Tick OpenID Connect (OIDC) single sign-on.
  3. Click Configure OIDC single sign-on.
  4. In the configuration window, select the Microsoft Entra tab at the top.


Under What you need from us you'll see a read-only Redirect URI. Click Copy to grab it. This is the exact value Entra needs, so use the one shown in your window rather than typing one by hand. Keep this window open, you'll come back to it.


Register an app in Microsoft Entra ID

Now switch to Microsoft Entra to create the app registration.

  1. Sign in to the Microsoft Entra admin center.
  2. If you manage more than one tenant, use the Settings icon in the top menu to switch to the tenant you want to use.
  3. Browse to Entra ID, then App registrations, and select New registration.
  4. Enter a Name your members will recognize, for example "SimplyPrint".
  5. Under Supported account types, pick who can sign in. For a single organization, Single tenant is the usual choice.
  6. You can leave the Redirect URI blank here and add it in the next step, or select the Web platform and paste the redirect URI you copied from SimplyPrint.
  7. Select Register.


When registration finishes, Entra opens the app's Overview page.


Copy the tenant ID and client ID

On the app's Overview page, find and copy these two values:


  • Application (client) ID - this is your client ID.
  • Directory (tenant) ID - this is your tenant ID.


Both are GUIDs that look like 00000000-0000-0000-0000-000000000000. You'll paste them into SimplyPrint shortly.


Add the redirect URI in Entra

If you didn't add the redirect URI during registration, add it now.

  1. On your app registration, under Manage, select Authentication.
  2. On the Redirect URI configuration tab, select Add Redirect URI (or Add a platform if no platform exists yet).
  3. Choose the Web platform.
  4. Paste the Redirect URI you copied from SimplyPrint.
  5. Select Configure (or Save).


The redirect URI must match the one shown in SimplyPrint exactly, character for character. Entra refuses to return sign-in tokens to any URI that isn't registered, so a mismatch is the most common cause of a failed connection.


Create a client secret

SimplyPrint authenticates to Entra with a client secret.

  1. On your app registration, under Manage, select Certificates & secrets.
  2. Open the Client secrets tab and select New client secret.
  3. Add a Description (for example "SimplyPrint") and choose an Expires value.
  4. Select Add.
  5. Copy the secret's Value straight away.


Copy the Value column, not the Secret ID. Entra shows the secret value only once. After you leave the page it can never be retrieved, so if you lose it you'll have to create a new secret. Also note your chosen expiry date - when the secret expires, sign-in stops working until you create a new one and update it in SimplyPrint.


Finish the connection in SimplyPrint

Switch back to the SimplyPrint configuration window, on the Microsoft Entra tab.

  1. In Tenant ID (Directory ID), paste the Directory (tenant) ID from Entra. SimplyPrint builds the issuer URL for you, in the form https://login.microsoftonline.com/your-tenant-id/v2.0
  2. Click Check. SimplyPrint reads Entra's discovery document and shows the resolved endpoints, which confirms the tenant ID is correct.
  3. In Client ID, paste the Application (client) ID.
  4. In Client secret, paste the secret Value you copied. Once saved, this field shows "Unchanged" - leave it blank on future edits to keep the stored secret, or type a new one to replace it.
  5. Leave Scopes at the default openid profile email unless you have a reason to change them.
  6. Click Save.


SimplyPrint discovers Entra's sign-in endpoints automatically from the tenant, so you normally only provide the tenant ID, client ID, and client secret. The Advanced section (manual endpoints, extra parameters) is there for unusual setups, but a standard Entra tenant doesn't need it.


Let new members get an account automatically

When someone signs in through Entra for the first time and they don't have a SimplyPrint account yet, SimplyPrint can create one for them automatically (just-in-time provisioning). For safety this only happens when the email address is trustworthy.


Here's the catch with Entra: Microsoft Entra ID does not send an email-verified signal in its tokens. SimplyPrint's "require verified email" check would therefore block automatic account creation for Entra users. The configuration window shows this note on the Entra tab: "Microsoft Entra ID doesn't send email verification status, use verified domains instead."


You have two ways to make automatic account creation work with Entra:


  • Verify your email domains (recommended). Add and verify your organization's email domains in the SSO settings. Once a domain is verified, SimplyPrint trusts emails on that domain even without a verified signal from Entra. See Verified email domains for SSO.
  • Turn off "require verified email". In the configuration window, expand Advanced and untick Require verified email. This lets any user from your provider get an account, so only use it when you trust everyone your Entra tenant lets through.


If neither applies, an existing member can still sign in, but a brand-new user is told their email couldn't be confirmed and no account is created.


Test the connection before rolling it out

The configuration window has a Test sign-in button. It runs the real sign-in flow against Entra and shows you exactly which claims came back, without logging anyone in or creating an account. This is the safest way to confirm everything is wired up.

  1. Save your settings first.
  2. Click Test sign-in. A new tab opens and runs the Microsoft sign-in.
  3. Come back to SimplyPrint to see the claims that were received, and a warning if any mapped claim is missing.


Once the test shows the claims you expect (email, given name, family name), your members can sign in from your account's login page. To link a member's existing email-and-password SimplyPrint account to their Entra login, see Linking your existing account to SSO and Signing in with SSO.


Map Entra groups to user groups (optional)

By default SimplyPrint maps Entra's standard claims: email to email, given_name to first name, and family_name to last name. You can adjust these under Claim mappings in the configuration window.


If you want to assign members to SimplyPrint user groups based on their Entra groups, there's one extra step in Entra: groups are not sent by default and need an optional groups claim configured.

  1. In Entra, on your app registration, under Manage, select Token configuration.
  2. Select Add groups claim (or Add optional claim, choose the ID token type, then the groups claim).
  3. Pick which groups to include. "Groups assigned to the application" is a good choice to keep tokens small.
  4. Back in SimplyPrint's Claim mappings, map the groups claim to the User Group field.


The group-to-user-group concept works the same way it does for SAML - see SSO user groups and group mapping for how the mapping itself behaves.


A note on sign-out

When a member signs out of SimplyPrint, SimplyPrint can also end their session at the identity provider when the provider advertises a sign-out endpoint. Microsoft Entra ID supports this, so signing out of SimplyPrint can sign the member out of Entra too.


If something doesn't work

The configuration window has a built-in debug panel. Expand Last received claims (debug) to see the most recent claims Entra sent (email addresses are masked), and Last sign-in error (debug) to see the most recent error. These two panels are the fastest way to spot a problem.


A few common Entra-specific issues:


  • Sign-in fails immediately after Microsoft login - the redirect URI in Entra doesn't match the one in SimplyPrint. Re-copy it from SimplyPrint and compare character for character.
  • New users can't get an account - Entra doesn't send a verified-email signal. Verify your email domains, or turn off "require verified email" (see the section above).
  • Sign-in worked, then stopped weeks later - the client secret expired. Create a new secret in Entra and paste its new Value into SimplyPrint.


For more on reading the debug panel and fixing connection errors, see Troubleshooting OIDC single sign-on.



Updated on: 13/06/2026

Was this article helpful?

Share your feedback

Cancel

Thank you!