For AI agents: a documentation index is available at the root level at /llms.txt and /llms-full.txt. Append /llms.txt to any URL for a page-level index, or .md for the markdown version of any page.
Logo
DeveloperAcademyCommunityStatus
  • Service Management
    • Overview
    • Concierge & Ticketing Capabilities Overview
    • Forms
    • Forms - Integration Specific Guides
    • Live Agent Chat / Handoff
    • Triage
    • Approval Mirroring
    • Ticket Interception
    • Generic Ticketing Integration: Ticket Gateway
  • Administration
    • MyMoveworks
    • Organization Information
    • Roles and Permissions
    • MyMoveworks SSO
      • Okta SSO Setup
      • Microsoft Entra Setup
        • Microsoft Entra Installation Guide (OIDC)
        • Microsoft Entra Installation Guide (SAML)
      • OneLogin Setup (OIDC)
      • Google SSO Setup (SAML)
      • OIDC Setup (General)
      • SAML Setup (General)
      • SSO Troubleshooting
  • Moveworks Setup
    • Accessing Moveworks Setup
    • First-Time Login via Magic Link
    • Moveworks Setup Modules
    • Moveworks Setup: Module How To Guides
    • Plugin Management
    • Monitor Alerts
    • Audit Logs
    • DSL Fields Defaults
    • Data Crawling View
    • API Playground
    • Setup Homepage
    • Troubleshooting Hub
    • Security and Privacy Settings
    • Configuration Delete
    • Advanced Config Editor
    • Identity configuration
    • Onboarding Stage
  • Security
    • Security
    • Hyperlink & Button Expiry
    • Attachment Handling
    • Moveworks Subprocessors
  • Provision Management
    • Overview
    • Access Software
    • Access Groups
    • Access Account
  • Access Requirements
    • Overview
    • Update Set Modules
    • Ticketing Systems & ITSMs Access
    • Identity and Access Management Systems Access
    • Multi-Factor Authentication (MFA) Systems Access
    • Knowledge Access Requirements
    • Email Distribution List Systems Access
    • Facilities Management Access
    • Live Agent Chat Access
    • HR Information System Access
    • Expense Management Access
    • Calendar Management Access
  • Core Platform
    • User Identity
    • Moveworks On-Prem Agent
    • Approvals Engine
    • Entity Catalog
    • Configuration Languages
    • Moveworks Data Objects
    • SIEM
  • Employee Experience Insights
    • Overview
    • Breaking Down the Dashboard
    • Understanding Industry Benchmarks
    • Apps & Services
    • Impact Module
    • EXI Common Use Cases
    • Configure EXI
    • Ticket Backpolling
  • Knowledge Studio
    • Overview
    • Knowledge Studio Configuration
    • AI Powered Recommendations
    • Inspecting & Verifying Sources
    • Publishing Articles
    • Creating Knowledge Articles
    • Resolving IT Tickets Guidance
DeveloperAcademyCommunityStatus
On this page
  • Prerequisites
  • Configuration Steps
  • Create OIDC Application
  • Configure Moveworks Settings
  • Add User Permission
  • Enable User Access
  • Generate Client Secret
  • Add SSO Configuration in MyMoveworks
  • FAQ
  • Does Moveworks support reading user data such as ‘upn’ from a custom scope / additional claim?
  • How do I assign users to an Entra Application?
AdministrationMyMoveworks SSOMicrosoft Entra Setup

Microsoft Entra Installation Guide (OIDC)

||View as Markdown|
Was this page helpful?
Edit this page
Previous

Microsoft Entra Installation Guide (SAML)

Next
Built with

Prerequisites

Making edits?

Before you edit your SSO configuration, make sure you are logged into MyMoveworks. Otherwise, you will not be able to log in and update your SSO configuration details.

Microsoft Entra Prerequisites

  • Ensure you have Access to the Azure Admin Portal with the appropriate IAM permissions in Azure to register a new Enterprise Application.

Moveworks SSO Prerequisites

  • Your Moveworks Environment should be initialized in order to continue. (Verify with your Account Team if this has been completed)
  • Note the following values.
    • data_center_domain - the data center where your organization is hosted (see table below).
      Data Centerdata_center_domain
      United States (default)moveworks.com
      Canadaam-ca-central.moveworks.com
      EUam-eu-central.moveworks.com
      Australia / Asia Pacificam-ap-southeast.moveworks.com
      Government Secure Cloudmoveworksgov.com
    • subdomain - your organization’s login subdomain. This should match your customer_id, which can be verified from the General Information Page.

      🚧 Warning

      Make sure to use the unique subdomain. For example, if you’re organization’s login subdomain is acme.moveworks.com, then your subdomain is acme and your data_center_domain is moveworks.com which is part of the US Data center.

    • customer_id - The unique identifier for your organization . This is stored as Org Name under Organization Details > General Information

      ❗️ The Org name cannot be changed. Once set, the same value should be used in all cases.

      In exceptional cases where you would like Moveworks to support your organisation with a different subdomain value. Please reach out to Moveworks Support.

Configuration Steps

Create OIDC Application

We recommend setting up a new/separate app registration for this step instead of reusing the App-reg created for the Teams bot setup

  1. Go to https://portal.azure.com/
  2. Find the App Registrations service
  3. Select New Registration
  4. Register the Application
    • Name: Moveworks
    • Supported account types: Accounts in this organizational directory only
  5. Select Register

Configure Moveworks Settings

  1. Go to Manage > Branding & properties and update the following:

    • Upload new logo:

      image

    • Home Page URL: https://{{subdomain}}.{{data_center_domain}}

  2. Go to Manage > Authentication, Select Add a Platform and choose Web
  3. Add your Redirect URI as https://{{subdomain}}.{{data_center_domain}}/login/sso/oidc

Add User Permission

  1. Go to Manage > API permissions. Select Add a permission and choose Microsoft Graph


  1. Choose Application permissions


  1. Toggle on the User.Read.All permission


  1. Click Add permissions and ensure that the permission is Admin consented.

Enable User Access

  1. Go to Enterprise Applications
  2. Find the application you created
  3. Go to Security > Permissions and click Grant admin consent for {{your company}}.

Generate Client Secret

  1. Navigate back to the App Registration page. The following settings are not available on the Enterprise Application page
  2. Go to Certificates & secrets.
  3. Click New client secret.
  4. Add Description and Expires. We recommend selecting 24 months as the expiration policy.
  5. Write down the Value as your idp_secret
  6. Go to the Overview tab and note down your Application (client) ID. This is your idp_client_id
  7. Click Endpoints > OpenID Connect metadata document and paste it in your browser
  8. Copy the issuer from the resulting JSON. This is your idp_issuer

Add SSO Configuration in MyMoveworks

  1. Navigate to SSO Settings in MyMoveworks
  2. If you already see a studio config, edit it. Otherwise, choose Create.
  3. Add your configuration using the values you’ve noted above
    • Moveworks Product: studio
    • Select Connector: ms_graph
    • Authentication Protocol: OIDC
    • IDP Redirect URL: https://{{subdomain}}.{{data_center_domain}}/login/sso/oidc
      • e.g. https://acme.am-eu-central.moveworks.com/login/sso/oidc
    • IDP Issuer: idp_issuer(from Step 7)
      • e.g. https://login.microsoftonline.com/9ed5798c-9bbe-471c-8005-7658c9846400/v2.0
    • IDP Client Id: idp_client_id (from Step 5)
    • IDP Client Secret: idp_client_secret (from Step 4)
  4. Click Submit.
  5. Wait a few minutes, then attempt to log into your instance at https://{{subdomain}}.{{data_center_domain}}

FAQ

Does Moveworks support reading user data such as ‘upn’ from a custom scope / additional claim?

  1. No - Moveworks will only request the openid, email, and profile scopes during the authentication process. By default, Moveworks will use the ‘Mail’ field from Entra to determine the logging in user. By default the email address from the user’s ‘Mail’ field in Entra must match their email_addr field in their Moveworks User Record for the login to My Moveworks or Web Bot to be successfull.
    1. If the Entra mail value does not match the email_addr value in the Moveworks user record, follow these steps to map mail to the Moveworks idm_user_id field and change the SSO configuration in Moveworks to perform the user lookup on the idm_user_id field.
      1. Map the Entra mail field to idm_user_id:
        1. In Moveworks Setup navigate to user identity > import users and edit the existing configuration.
        2. Click next once to get to the Configure selected sources screen and toggle into advanced mode in the top right.
        3. Scroll to the Source-Specific User Attribute Mapping under the ms_graph Integration Id. You should see a section like the below which defines the mapping on user_id_info.user_idm_id_info
             "user_id_info.user_idm_id_info": [
               {
                 "integration_id": "\"ms_graph\"",
                 "system": "\"MS_GRAPH\"",
                 "idm_user_id": "userPrincipalName",
                 "external_id": "id"
               }
             ],
        • Update the mapping for idm_user_id to mail 
             "user_id_info.user_idm_id_info": [
               {
                 "integration_id": "\"ms_graph\"",
                 "system": "\"MS_GRAPH\"",
                 "idm_user_id": "mail",
                 "external_id": "id"
          • The change will reflect in users’ records following the next user import flow. After 24 hours, confirm the change has succeeded in Moveworks Setup by navigating touser identity > imported users. Enter a users name in Find Users to view their record. Click view profile and scroll down to the System Integration Attributes. Under Azure AD confirm the Idm User Id value has been updated to match the mail value in Entra.
      2. Update the SSO configuration to user idm_user_id as the user lookup field:
        1. In Moveworks Setup, navigate to Tenant Settings > Single Sign-on (SSO) and edit the existing SSO configuration.
        2. Under Identifier Type select IDM_USER_ID

How do I assign users to an Entra Application?

  1. Go to Enterprise Applications in Azure
  2. Find the application you just registered.
  3. From there, click Manage > Properties as shown below.
  4. From the Properties page, toggle the Assignment required field to Yes, and Visible to users field to Yes as shown below.
  5. Navigate to the Users and groups section and assign the app to all users that need access to it either directly or via a group.
  6. When your users navigate to the MyApps Portal after a few minutes, they should be able to see the app and login directly from there.