1. Uniqkey EN
  2. Get Started
  3. Get Started

Uniqkey SSO - Setup Guide for Organization Admins

Updated
Have more questions? Submit a request

Enable Single Sign-On (SSO) for your organization in Uniqkey using Microsoft Entra ID (Azure AD). Setup has two parts: configure a few options in Uniqkey, then handle consent and access in Microsoft Entra.

Part A - Uniqkey

In the Uniqkey Admin Portal:

  1. Disable ‘Require mobile authentication’ for the organization (Settings → Security settings -> Governance). SSO requires users not to authenticate through the. Uniqkey mobile app.

  2. Enable SSO under Settings → Integrations → SSO and paste your Microsoft Directory (tenant) ID.

ID can be found in Entra: https://portal.azure.com/#view/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/~/Overview

3. Add your email domain (Settings → Verified Domains → Add Domain). SSO only triggers for verified domains.

4. Invite users with the Phoneless option ticked (bulk invite or invite individual users).

A user only gets the SSO onboarding email when all three are true:

  1. SSO is configured
  2. ‘Require mobile authentication’ is disabled
  3. User was invited without requiring mobile authentication.

Otherwise, they get the normal phone-based onboarding.


Part B - Microsoft Entra side

Consent dialog

The first time a user signs in via SSO, Microsoft shows a Permissions requested dialog. The requested permissions are minimal - view basic profile and keep the user signed in. Uniqkey gets no access to mail, files, Teams, or other company data.

The “unverified / not published by your organization” label is expected.


The Microsoft “Permissions requested” dialog shown at first sign-in.

Admin consent (recommended)

Grant consent once for the whole tenant so users never see the dialog. Sign in as a Global Administrator or Cloud Application Administrator and open this URL:

https://login.microsoftonline.com/<your-tenant-id>/adminconsent?client_id=<uniqkey-app-id>

Review the requested permissions and approve. After this, users sign in without the consent prompt.


Granting admin consent on the Uniqkey enterprise application.

 

Controlling who can sign in

In the Uniqkey enterprise application → Properties, the Assignment required switch sets the gate:

  • Assignment required = No (default): any user invited in Uniqkey can sign in - the Uniqkey invite is the gate.
  • Assignment required = Yes: only users and groups you assign under Users and groups can sign in; everyone else is blocked (error AADSTS50105). Layer Conditional Access (MFA, device, location) here if needed.

 

Articles in this section

See more