Prerequisites

🚧

Making edits?

Before you edit your SSO configuration, make sure you are logged into MyMoveworks. Otherwise, you will not be able to log in and update your SSO configuration details.

Microsoft Entra Prerequisites

• Ensure you have Access to the Azure Admin Portal with the appropriate IAM permissions in Azure to register a new Enterprise Application.

Moveworks SSO Prerequisites

• Your Moveworks organization should be initialized (verify with your account team)

• Note the following values.

  • data_center_domain - the data center where your organization is hosted (see table below).

  • subdomain - your organization's login subdomain. This will generally match your customer_id, but you can verify or customize it in General Information.

    🚧

    Warning

    Make sure you ONLY note your unique subdomain. For example, if you're organization's login subdomain is acme.moveworks.com, then your subdomain is acme and your data_center_domain is moveworks.com

  • [Optional] customer_id - unique identifier for your organization (can not be changed). This is stored as Org Name under Organization Details > General Information

    

    
    

Configuration Steps

Create OIDC Application

We recommend setting up a new/separate app registration for this step instead of reusing the App-reg created for the Teams bot setup

1. Go to https://portal.azure.com/

2. Find the App Registrations service

   

3. Select New Registration

   

4. Register the Application

   • Name: Moveworks
   • Supported account types: Accounts in this organizational directory only

5. Select Register

Configure Moveworks Settings

1. Go to Manage > Branding & properties and update the following:

   • Upload new logo:

     

   • Home Page URL: https://{{subdomain}}.{{data_center_domain}}

2. Go to Manage > Authentication, Select Add a Platform and choose Web

   

   
   

3. Add your Redirect URI as https://{{subdomain}}.{{data_center_domain}}/login/sso/oidc

Enable User Access

1. Go to Enterprise Applications

   

2. Find the application you created

   

   
   

3. Go to Security > Permissions and click Grant admin consent for {{your company}}.

   

Generate Client Secret

1. Navigate back to the App Registration page. The following settings are not available on the Enterprise Application page

2. Go to Certificates & secrets.

3. Click New client secret.

   

4. Add Description and Expires. We recommend selecting 24 months as the expiration policy.

   

5. Write down the Value as your idp_secret

   

6. Go to the Overview tab and note down your Application (client) ID. This is your idp_client_id

   

7. Click Endpoints > OpenID Connect metadata document and paste it in your browser

8. 

   Copy the issuer from the resulting JSON. This is your idp_issuer

   

   
   

   Add SSO Configuration in MyMoveworks

9. Navigate to SSO Settings in MyMoveworks

   

   
   

10. If you already see a studio config, edit it. Otherwise, choose Create.

11. Add your configuration using the values you've noted above

    • Moveworks Product: studio
    • Select Connector: ms_graph
    • Authentication Protocol: OIDC
    • IDP Redirect URL: https://{{subdomain}}.{{data_center_domain}}/login/sso/oidc
      • e.g. https://acme.am-eu-central.moveworks.com/login/sso/oidc
    • IDP Issuer: idp_issuer(from Step 7)
      • e.g. https://login.microsoftonline.com/9ed5798c-9bbe-471c-8005-7658c9846400/v2.0
    • IDP Client Id: idp_client_id (from Step 5)
    • IDP Client Secret: idp_client_secret (from Step 4)

12. Click Submit.

13. Wait a few minutes, then attempt to log into your instance at https://{{subdomain}}.{{data_center_domain}}

FAQ

Does Moveworks support reading user data such as 'upn' from a custom scope / additional claim?

1. No - Moveworks will only request the openid, email, and profile scopes during the authentication process. By default, Moveworks will use the 'Mail' field from Azure to determine the logging in user. By default the email address from the user's 'Mail' field in Entra must match their email_addr field in their Moveworks User Record for the login to My Moveworks or Web Bot to be successfull.

How do I assign users to an Entra Application?

1. Go to Enterprise Applications in Azure

2. Find the application you just registered.

3. From there, click Manage > Properties as shown below.

4. From the Properties page, toggle the Assignment required field to Yes, and Visible to users field to Yes as shown below.

   

5. Navigate to the Users and groups section and assign the app to all users that need access to it either directly or via a group.

   

6. When your users navigate to the MyApps Portal after a few minutes, they should be able to see the app and login directly from there.