Prerequisites

Microsoft Entra Prerequisites

• Ensure you have Access to the Azure Admin Portal with the appropriate IAM permissions in Azure to register a new Enterprise Application.

Moveworks SSO Prerequisites

• Your Moveworks organization should be initialized (verify with your account team)

• Note the following values.

  • data_center_domain - the data center where your organization is hosted (see table below).

  • subdomain - your organization's login subdomain. This will generally match your customer_id, but you can verify or customize it in General Information.

    🚧

    Warning

    Make sure you ONLY note your unique subdomain. For example, if you're organization's login subdomain is acme.moveworks.com, then your subdomain is acme and your data_center_domain is moveworks.com

  • [Optional] customer_id - unique identifier for your organization (can not be changed). This is stored as Org Name under Organization Details > General Information

    

    
    

Configuration Steps

Create OIDC Application

1. Go to https://portal.azure.com/

2. Find the App Registrations service

   

3. Select New Registration

   

4. Register the Application

   • Name: Moveworks
   • Supported account types: Accounts in this organizational directory only

5. Select Register

Configure Moveworks Settings

1. Go to Manage > Branding & properties and update the following:

   • Upload new logo:

     

   • Home Page URL: https://{{subdomain}}.{{data_center_domain}}

2. Go to Manage > Authentication, Select Add a Platform and choose Web

   

   
   

3. Add your Redirect URI as https://{{subdomain}}.{{data_center_domain}}/login/sso/oidc

Enable User Access

1. Go to Enterprise Applications

   

2. Find the application you created

   

   
   

3. Go to Security > Permissions and click Grant admin consent for {{your company}}.

   

Add OIDC Configuration in MyMoveworks

1. Go to Certificates & secrets.

2. Click New client secret.

   

3. Add Description and Expires. 24 months is our recommended option to go with as it is the longest time possible. You can have multiple secrets at once, so before one expires you can create another for a seamless cutover.

   

4. Write down the Value as your idp_secret

   

5. Go to the Overview tab and note down your Application (client) ID. This is your idp_client_id

   

6. Click Endpoints > OpenID Connect metadata document and paste it in your browser

7. 

   Copy the issuer from the resulting JSON. This is your idp_issuer

   

   
   

8. Navigate to SSO Settings in MyMoveworks

   

   
   

9. If you already see a studio config, edit it. Otherwise, choose Create.

10. Add your configuration using the values you've noted above

    • Moveworks Product: studio
    • Select Connector: ms_graph
    • Authentication Protocol: OIDC
    • IDP Redirect URL: https://{{subdomain}}.{{data_center_domain}}/login/sso/oidc
      • e.g. https://acme.am-eu-central.moveworks.com/login/sso/oidc
    • IDP Issuer: idp_issuer(from Step 7)
      • e.g. https://login.microsoftonline.com/9ed5798c-9bbe-471c-8005-7658c9846400/v2.0
    • IDP Client Id: idp_client_id (from Step 5)
    • IDP Client Secret: idp_client_secret (from Step 4)

11. Click Submit.

12. Wait a few minutes, then attempt to log into your instance at https://{{subdomain}}.{{data_center_domain}}

FAQ

How do I assign users to an Entra Application?

1. Go to Enterprise Applications in Azure

2. Find the application you just registered.

3. From there, click Manage > Properties as shown below.

4. From the Properties page, toggle the Assignment required field to Yes, and Visible to users field to Yes as shown below.

   

5. Navigate to the Users and groups section and assign the app to all users that need access to it either directly or via a group.

   

6. When your users navigate to the MyApps Portal after a few minutes, they should be able to see the app and login directly from there.