Control Center Azure SAML-based SSO Access Requirements


Control Center should now be accessed through My Moveworks

Please set up the My Moveworks SSO app instead.

See here for more details:


  1. Access to Azure admin portal.
  2. Appropriate IAM permissions in Azure to create new enterprise application.


  1. Navigate to Enterprise Applications in Azure AD ( and select New Application.
  2. Select Create your own application.
  3. Select Non-gallery application
  4. After the resource finishes deploying (it may take a few seconds), then select Configure single sign-on
  5. Select SAML as the single sign-on method.
  6. Then enter the following SAML configuration, based on your environment, you will need to use the appropriate url for the environment you org is in.
    1. Entity ID:
    2. Reply URL:
      1. Commercial Environment:
        GovCloud Environment:
        EU Environment:
        Canada Environment:
    3. Sign on URL: leave blank
    4. Relay State: {moveworks_org_name}
    5. Logout URL: leave blank
  7. Ensure the configuration was saved successfully, you should see this green icon on the top right, indicating it is successfully saved:
  8. Confirm the Unique User Identifier (name ID) is set. By default, this should be mail.
    1. Clarify with your Moveworks Customer Success team whether the identifier should be mail or userPrincipalName.
  9. Download the Base 64 Certificate and provide it to your Moveworks Customer Success team. The certificate file will look something like:
  10. Provide the following attributes to your Moveworks Customer Success team:
    1. Login URL
    2. Base 64 Certificate
    3. Screenshot of the SAML Configuration from the step above e.g:
  11. Assign users who should have access to the Moveworks Control Center application. Typically this is done using an Azure AD Security Group, but users can be assigned individually as well.
    1. 📘

      Note: Roles within the Control Center (e.g. users who have permission to send
      Employee Communications vs. draft-only users) must be set by your Moveworks
      Customer Success team.

Completion and Verification

Once the information collected above (downloaded certificate and Login URL) is provided, Moveworks will configure your organization’s SSO settings to re-route your organization’s SAML based SSO.

This will take 24-48 hours to take effect, upon which Moveworks will notify you and ask you to verify that you can successfully log into the Control Center interface. To login simply navigate to the relevant URL below, and then type in your email address:

Commercial Environment:
GovCloud Environment:
EU Environment:
Canada Environment: