Set up Microsoft Entra OIDC single sign-on (SSO) for my team

Feature availability

Important: The BioDigital team must first enable SSO for your account. If you are interested in enabling SSO for your team, contact your dedicated Account Manager or our Customer Experience team.

Use this guide to configure Microsoft Entra OIDC single sign-on (SSO) for your BioDigital Human team. Once enabled, team members can authenticate using their Microsoft Entra credentials instead of a separate BioDigital password.

 

Before you begin

Before starting configuration, make sure:

  • Your organization uses Microsoft Entra ID
  • You have administrator access to the Microsoft Entra admin center
  • You also have administrator access to your BioDigital Human team account

 

Step 1: Register the BioDigital Human in Microsoft Entra

Start by registering the BioDigital Human app in your Microsoft Entra account:

  1. Log in to the Microsoft Entra admin center as an administrator.
  2. Expand Entra ID in the left navigation menu and select App registrations.

  3. Click + New registration.

    Click image to expand
     
  4. In the Name field, enter "BioDigital Human."

  5. Under Supported account types, select Accounts in this organizational directory only.

    Note: This ensures only users in your organization can authenticate using Entra credentials.

  6. Under Redirect URI:

    • Select Web
    • Enter: https://human.biodigital.com/ws/user/sign/in/entra

  7. Under Permissions, check the box next to Grant admin consent to openid and offline_access permissions.

    Note: This prevents users from being prompted to approve permissions individually during first login.

  8. Click Register.

 

Step 2: Add required API permissions

Next, you will need to configure the required API permissions for your new BioDigital Human app:

  1. Open the app registration record you just registered.
  2. Under Manage, select API permissions.
  3. Click + Add a permission.
    sso_entra-oidc_add-permission_may26.png
  4. In the Microsoft APIs tab, select Microsoft Graph.
  5. Select Delegated Permissions.
  6. Enable the following permissions:
    • email
    • offline_access
    • openid
    • profile
    • User.Read
      sso_entra-oidc_permissions_may26.png
  7. Click Add permissions.
  8. When prompted, grant admin consent by clicking Yes.

 

Step 3: Collect Microsoft Entra credentials

Next, collect the three Microsoft Entra credentials required for your BioDigital Human SSO configuration:

  • Client ID
  • Tenant ID
  • Client secret

Your client ID and tenant ID can be retrieved from Microsoft Entra at any time, but your client secret must be generated manually.

To retrieve your client ID and tenant ID:

  1. In the same app registration record, select Overview under the search bar.
  2. Copy and store the following values (you will need these in Step 4):
    • Application (client) ID
    • Directory (tenant) ID

sso_entra-oidc_tenant-client-ids_may26.png

To generate your client secret:

  1. In the same app registration record, select Certificates & secrets under Manage.
  2. Open the Client secrets tab.
  3. Click + New client secret.
  4. Enter a description (for example, BioDigital-Human-SSO-Secret).

  5. Select an expiration period, such as 365 days (12 months).

    Note: When this secret expires, an administrator must generate a new one and update it in your BioDigital Human account to keep SSO functioning.

  6. Click Add.

    Warning: Copy your client secret immediately after creation. Microsoft will only display this value once.

  7. Copy the client secret from the Value field and store it securely.

 

Step 4: Configure SSO in the BioDigital Human

The final step is to create your SSO configuration in the BioDigital Human using the Microsoft Entra credentials you just collected:

  1. Log in to the BioDigital Human.
  2. Click the    profile icon in the upper-right corner and select Team from the drop-down menu.
  3. Click    Manage.
  4. Open the Team Access tab and scroll down.
  5. Under Single Sign-On (SSO) Configuration, click + Add SSO Configuration.
  6. Under SSO Provider, select Microsoft Entra ID (OIDC) from the drop-down menu.
  7. Enter a Configuration Name.

  8. Enter the Microsoft Entra credentials you just collected into the relevant fields:

    • Client ID
    • Tenant ID
    • Client secret

  9. Check the box next to Enable this SSO configuration.
  10. Click Save Configuration.

Success—your Microsoft Entra OIDC integration is now active!

 

What to expect after SSO is enabled

Existing users

The next time an existing team member signs in, they will be prompted to link their BioDigital Human account to their Microsoft Entra account.

Once linked, future logins will occur through SSO.

New users

New team members will be prompted to authenticate through Microsoft Entra when creating a BioDigital Human account.

If SSO is later disabled, these users will be required to create a BioDigital password.

Administrator fallback login

In the event of SSO failure, administrators are able to sign in with their original password.

For this reason, password setup remains required for all Administrator accounts.

 

Related articles