Skip to main content

Documentation Index

Fetch the complete documentation index at: https://sso.brellium.dev/llms.txt

Use this file to discover all available pages before exploring further.

This guide walks you through configuring single sign-on (SSO) for Brellium using Microsoft Entra ID (formerly Azure Active Directory). You register an application in your Entra ID tenant and provide the credentials to Brellium to complete the connection.

Prerequisites

Before you begin, ensure you have:
  • Administrator access to your Microsoft Entra ID tenant
  • A Brellium admin account with permissions to authorize integrations

Supported features

The Brellium Microsoft Entra ID integration supports the following features:
  • SP-initiated SSO — Users can sign in to Brellium from the Brellium sign-in page, which redirects to Microsoft Entra ID for authentication.
  • IdP-initiated SSO — Users can sign in to Brellium directly from the Microsoft My Apps portal by clicking the Brellium tile.
  • Just-In-Time (JIT) provisioning — User accounts are automatically created in Brellium on first sign-in through Microsoft Entra ID. The following attributes are provisioned:
    • Email address
    • Full name
  • Federated logout (SLO) — Users who sign out from Brellium also have their Microsoft Entra ID session terminated.
To provision and deprovision users in Brellium using SCIM, see the SCIM Provisioning Configuration guide.

Configuration steps

1

Register an application in Microsoft Entra ID

  1. Sign in to the Microsoft Entra admin center.
  2. Go to Identity > Applications > App registrations.
  3. Click New registration.
Microsoft Entra ID App registrations page showing the New registration button
  1. Configure the following settings:
SettingValue
NameBrellium (or your preferred application label)
Supported account typesSelect Accounts in this organizational directory only (Single tenant) to limit access to your organization. To allow users from external Azure AD directories, select Accounts in any organizational directory (Any Azure AD directory - Multitenant).
Redirect URISelect Web and enter the callback URL provided by Brellium.
Register an application form showing Name and Supported account types fields
  1. Click Register.
On the application’s Overview page, note the Application (client) ID — you will need this later.
Application overview page with Application (client) ID highlighted
Make sure you are in the correct Azure AD directory when registering the application. If you have multiple directories, verify you are in the intended tenant before proceeding.
Contact your Brellium customer success manager or Brellium support to obtain the correct Redirect URI for your organization.
If you did not set the Redirect URI during registration, you can add it afterward:
  1. In the registered Brellium application, go to Authentication under Manage.
  2. Click Add a platform and select Web.
Authentication page showing Add a platform with Web option selected
  1. Enter the Redirect URI provided by Brellium.
  2. Click Configure.
Configure Web platform showing the Redirect URIs field
2

Create a client secret

  1. In the registered Brellium application, go to Certificates & secrets under Manage.
  2. Click New client secret.
  3. Enter a description (e.g., Brellium SSO) and select an expiration period.
Add a client secret dialog with Description and Expires fields
  1. Click Add.
  2. Copy the Value of the new client secret immediately — it is only shown once.
Certificates and secrets page showing the client secret Value highlighted
If you configure an expiring secret, record the expiration date. You must renew the secret before it expires to avoid a service interruption. When you renew the secret, provide the new value to Brellium.
3

Add API permissions

  1. In the registered Brellium application, go to API permissions under Manage.
  2. Click Add a permission > Microsoft Graph > Delegated permissions.
  3. Add the following permissions:
PermissionDescription
User.ReadAllows the app to sign in users and read their profiles
Directory.Read.AllAllows the app to read directory data on the signed-in user’s behalf
  1. Click Add permissions.
  2. If required by your organization, click Grant admin consent to consent on behalf of all users in the directory.
4

Provide credentials to Brellium

Provide the following values to your Brellium customer success manager or Brellium support to complete the connection:
ValueWhere to find it
Application (client) IDApp registrations > Brellium > Overview
Client secretThe secret value you copied in the previous step
Microsoft Entra ID domainYour Azure AD directory’s primary domain (e.g., yourcompany.onmicrosoft.com), found on the directory’s Overview page
Brellium configures the enterprise connection on your behalf. You will be notified when the setup is complete.
5

Grant admin consent

Once Brellium has configured the connection, an administrator in your Azure AD tenant must grant consent for the application. Your Brellium contact will provide a consent URL.
  1. Open the consent URL in a browser.
  2. Sign in with an Azure AD administrator account.
  3. Review the permissions and click Accept.
If you do not have the appropriate Azure AD administrative permissions to grant consent, share the consent URL with an administrator in your organization.
6

Assign users and groups

  1. In the Microsoft Entra admin center, go to Identity > Applications > Enterprise applications.
  2. Select the Brellium application.
  3. Go to Users and groups under Manage.
  4. Click Add user/group.
  5. Select the users or groups to assign and click Assign.
7

Verify the configuration

Verify that SSO is working correctly.Verify IdP-initiated SSO:
  1. Go to the Microsoft My Apps portal.
  2. Click the Brellium tile.
  3. Confirm that you are signed in to Brellium without being prompted for additional credentials.
Verify SP-initiated SSO:
  1. Open a new browser window and go to the Brellium sign-in page.
  2. Click Sign in with Microsoft.
  3. Enter your Microsoft Entra ID credentials.
  4. Confirm that you are signed in to Brellium.

SP-initiated SSO

After the integration is configured, users can sign in to Brellium using one of the following methods:
For SP-initiated SSO, users must access Brellium through one of the options below. Direct sign-in at app.brellium.com without a verified domain will not automatically redirect to Microsoft Entra ID.
Option 1: Use your organization’s Brellium domain Navigate directly to your organization’s dedicated Brellium URL (e.g., https://myorganization.brellium.app). You are automatically redirected to Microsoft Entra ID for authentication. Option 2: Sign in with a verified domain If your organization has configured verified domains:
  1. Go to https://app.brellium.com.
  2. Enter your email address.
  3. You are automatically redirected to Microsoft Entra ID for authentication based on your email domain.
If your organization has not yet configured verified domains, contact your customer success manager or Brellium support to set this up.
If your credentials are valid, you are redirected to the Brellium dashboard.

Troubleshoot

IssueCauseSolution
”Access cannot be granted to this service” errorSupported account types are misconfiguredVerify the Supported account types in the app registration. If external users need access, select the appropriate multitenant option.
”invalid_request; failed to obtain access token” errorAzure AD client secret is invalid or expiredGenerate a new client secret in Azure AD and provide the updated value to Brellium
Users aren’t created on first sign-inJust-In-Time provisioning isn’t enabledContact Brellium support to enable JIT provisioning for your organization
Application not visible in Azure ADApp was registered in the wrong directoryVerify you are in the correct Azure AD tenant and re-register the application if needed

Signing key rollover

Microsoft Entra ID periodically rolls its signing keys for security purposes. You do not need to take any action — Brellium uses the new key automatically.

Support

If you have questions or encounter issues not covered in this guide, contact the Brellium support team: