# Setup in Microsoft Entra ID

This page explains how to register SonarQube Server in Microsoft Entra ID. This is the first step of SAML authentication setup with Microsoft Entra ID. For an overview of the complete setup, see [introduction](https://docs.sonarsource.com/sonarqube-server/10.8/instance-administration/authentication/saml/ms-entra-id/introduction "mention").

## Step 1: Create the SAML application for SonarQube Server in MS Entra ID <a href="#create-app" id="create-app"></a>

1\. In **Microsoft Entra ID**, go to **Manage > Enterprise applications > All applications**.

2\. Select **New application** and then **Create your own application**.

![](https://312504542-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FiJj3TXBdWssTGGg8qK5I%2Fuploads%2Fgit-blob-f7582f426b0a3136b2875409d1bffcd9e86b4e85%2F7c8b30674c29f020165fd6c40ed2b4082822fa71.png?alt=media)

3\. Fill in the name and select the **Integrate any other application you don’t find in the gallery** option.

![](https://312504542-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FiJj3TXBdWssTGGg8qK5I%2Fuploads%2Fgit-blob-0e5da4bae8c535935277e293bc722b23bae05a43%2F0a5e1a1c04c920b1a5971e9aa50a038ff9d9140e.png?alt=media)

4\. Select **Create**.

## Step 2: Configure the application for SonarQube Server in MS Entra ID <a href="#configure-app" id="configure-app"></a>

1\. Go to **Single sign-on > SAML**. The **Set up Single Sign-On with SAML** page opens

![](https://312504542-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FiJj3TXBdWssTGGg8qK5I%2Fuploads%2Fgit-blob-294cb16779fb1d54497e215638b6c399749265e0%2F2249d71111dd8d7ff377045f465c30515131e248.png?alt=media)

2\. In the **Basic SAML Configuration** section of the page, select **Edit**, fill in the **Identifier** and the **Reply URL** fields as described below, and save.

<details>

<summary>Basic configuration fields</summary>

| **Field**  | **Description**                                                                                                                                                                                                                                                                                                                     |
| ---------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| Identifier | Identifier of the SonarQube Server application in Entra ID.                                                                                                                                                                                                                                                                         |
| Reply URL  | <p>Must be in the format:<br><code>\<sqServerBaseUrl>/oauth2/callback/saml</code></p><p><strong>Example</strong>: <code><https://my-sonarqube.com/oauth2/callback/saml></code></p><p><strong>Note</strong>: Make sure <a data-mention href="../../../server-base-url">server-base-url</a> is correctly set in SonarQube Server.</p> |

![](https://312504542-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FiJj3TXBdWssTGGg8qK5I%2Fuploads%2Fgit-blob-42a5f218072f9a3e99aa9f871304a5ae2bdfacfb%2F9899ef23dad99d9a63b6dabcac5253030d00825b.png?alt=media)

</details>

3\. In the **Attributes & Claims** section of the page, configure the attributes used by SonarQube Server as described below. To add an attribute, select **Add new claim**.

<details>

<summary>Attributes &#x26; claims</summary>

The table below shows possible mappings you can use for the SAML attributes used by SonarQube Server.

| **SAML attribute used by SonarQube Server** | **Description**                                         | **Attribute in Microsoft Entra ID**  | **Required** |
| ------------------------------------------- | ------------------------------------------------------- | ------------------------------------ | ------------ |
| Login                                       | A unique name to identify the user in SonarQube Server. | Examples: `emailaddress`, `objectID` | x            |
| Name                                        | The full name of the user.                              | Example: `givenname`                 | x            |
| Email                                       | The email of the user.                                  | Example: `emailaddress`              | <p><br></p>  |

{% hint style="warning" %}
The NameID attribute is not used in SonarQube Server.
{% endhint %}

![](https://312504542-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FiJj3TXBdWssTGGg8qK5I%2Fuploads%2Fgit-blob-e092fd4697187a0c8adfb1e302bd620e699a82bd%2Fead2a8c89fc5aeccef6d795acc860915420703d6.png?alt=media)

</details>

4\. If you use the group synchronization feature (If a matching group is found in SonarQube Server, the Entra ID user account’s memberships in that group are synchronized in SonarQube Server.), add a group attribute as described below. Alternatively, you may use SCIM user and group provisioning, see [scim-provisioning-with-azure-ad](https://docs.sonarsource.com/sonarqube-server/10.8/instance-administration/authentication/saml/scim/scim-provisioning-with-azure-ad "mention").

<details>

<summary>Adding a group attribute</summary>

1. Select **Add a group claim**, and configure the group attribute as follows:
   * **Group Claims**: **Groups assigned to the application**
   * **Source attribute**: **sAMAccountname**
2. Once done, the option to add a group will be unavailable and the group attribute will be listed with the other attributes in the **Add new claim** tab.

</details>

{% hint style="warning" %}

* Group synchronization doesn’t work with Microsoft Entra ID’s nested groups.
* Microsoft Entra ID SAML tokens have a limit regarding the number of groups a user can belong to (see the description of groups in the [Claims in SAML Token](https://learn.microsoft.com/en-us/entra/identity-platform/reference-saml-tokens#claims-in-saml-tokens) table). In such cases, you might need to reduce the number of groups the user is in.
  {% endhint %}

5\. In the **SAML Certificates** section of the page, download **Certificate (Base64)**. (You will have to copy-paste the downloaded certificate into SonarQube Server during the [setup-in-sq](https://docs.sonarsource.com/sonarqube-server/10.8/instance-administration/authentication/saml/ms-entra-id/setup-in-sq "mention").)

![](https://312504542-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FiJj3TXBdWssTGGg8qK5I%2Fuploads%2Fgit-blob-80078f623f6ffba78d2f1d59b25bad330761f13e%2F2ca3f643aaf4cd841920fbe4003734c17e41236e.png?alt=media)

6\. Assign users and groups as follows:

* Go to **Manage > Users and groups**.
* Select **Add user/group** to assign users or groups to the application.

## Related pages <a href="#related-pages" id="related-pages"></a>

* [overview](https://docs.sonarsource.com/sonarqube-server/10.8/instance-administration/authentication/saml/overview "mention")
* [setup-in-sq](https://docs.sonarsource.com/sonarqube-server/10.8/instance-administration/authentication/saml/ms-entra-id/setup-in-sq "mention")
* [optional-security-features](https://docs.sonarsource.com/sonarqube-server/10.8/instance-administration/authentication/saml/ms-entra-id/optional-security-features "mention")
* [scim-provisioning-with-azure-ad](https://docs.sonarsource.com/sonarqube-server/10.8/instance-administration/authentication/saml/scim/scim-provisioning-with-azure-ad "mention")