Which Entra ID object holds user and group assignments for an enterprise application?

Correct: b. The service principal (enterprise application) is the per-tenant instance that carries user and group assignments, SSO config and provisioning settings. The app registration is the global identity definition and does not hold per-tenant assignments.

Why is SAML SSO greyed out for a multi-tenant app registration in Entra ID?

Correct: d. SAML SSO in Entra is configurable only on single-tenant app registrations and pre-integrated gallery apps. Multi-tenant applications must use OIDC/OAuth 2.0 — Entra cannot generate a per-tenant SAML IdP configuration for a globally shared multi-tenant app object.

After rotating the Entra SAML signing certificate, all users get 'Response not signed correctly'. What is the fastest fix?

Correct: d. The SP is validating the assertion against the old, now-retired certificate. Uploading the new Entra signing certificate to the SP's Identity Provider configuration fixes signature validation without any Entra-side change — no re-creation needed.

An IT admin runs the SAML SSO test in Entra as a Global Administrator and it passes. But normal users report they cannot sign in. What is the most likely explanation?

Correct: c. Global Admins are typically excluded from Conditional Access policy enforcement. The admin test passed because CA policies (e.g., MFA required, compliant device, location restriction) did not apply to the admin session, but they block regular users.

What is the key reason to test SAML SSO with a non-admin assigned user rather than a Global Administrator?

Correct: d. Global Administrators are exempt from most Conditional Access policies by default. Testing as an admin gives a false sense of security — policies enforcing MFA, compliant device or location restrictions will not trigger for the admin but will block regular users assigned to the app.

Microsoft Entra ID SSO & App Integration Guide (2026)

Q: A team is building a new mobile app with a REST API backend. Which SSO protocol should they configure in Entra ID?

Correct: c. OIDC/OAuth 2.0 is designed for modern apps — it issues access tokens (JWTs) that APIs and mobile clients use natively in Authorization headers. SAML XML assertions are browser-redirect based and not suited for direct API calls or native apps.

Q: A user gets a SAML error: 'Audience restriction validation failed'. Which configuration value is most likely mismatched?

Correct: a. Audience restriction validation failed is specifically an EntityID / Audience mismatch: the Identifier (Entity ID) value configured in Entra does not match the SP's expected audience. ACS URL mismatches produce a different error (invalid reply URL); expired certs produce a signature error.

Q: A new employee can SAML SSO into the HR SaaS app (login succeeds) but sees a blank dashboard with no data. SCIM provisioning is disabled. What is the most likely explanation?

Correct: d. SSO only handles authentication — the SAML assertion is valid so login succeeds. Without SCIM provisioning, no account exists in the HR app backend, so the app has no profile or data to show. SSO and provisioning solve different problems and must both be configured.

Q: A newly hired employee can log in to the HR SaaS app via SAML SSO but sees a blank dashboard with no data. Provisioning is disabled. What is the most likely cause?

Correct: c. SSO only handles authentication — the SAML assertion is valid so login succeeds. Without SCIM provisioning, no account exists in the HR app backend, so the app has no profile or data to show. SSO and provisioning solve different problems.

Most engineers think…

Most people assume 'adding an app to Entra ID' means one thing. In reality it is two separate planes: the identity plane (app registration, which defines the app globally across all tenants) and the access plane (the service principal / enterprise application, the per-tenant instance that holds user assignments, SSO config and provisioning settings).

Equally common: confusing SSO with provisioning. SSO answers 'can this user get a token?'. Provisioning answers 'does this user's account even exist in the target app?'. You need both for a complete joiner-mover-leaver process — and they are configured independently in Entra ID.

① Core concepts — app registrations, service principals and the gallery

Every app integrated with Microsoft Entra ID has two objects. The app registration (in the App registrations blade) is the global identity definition: client ID, redirect URIs, certificate/secret credentials and API permission declarations. It lives in your home tenant but can be multi-tenant. The service principal (also called the enterprise application) is the per-tenant instance — the local copy that carries user and group assignments, SSO configuration, Conditional Access linkage, and provisioning settings.

The Entra application gallery contains thousands of pre-integrated SaaS apps. When you add a gallery app, Entra auto-populates the SAML or OIDC metadata so you only fill in your tenant-specific values (ACS URL, Entity ID, or redirect URI). For apps not in the gallery, you create a custom enterprise application and configure SSO manually.

What the gallery does (and does not) give you

Gallery apps come with pre-built SSO templates and often a provisioning connector. What they do not give you: they do not auto-assign users, they do not auto-enable provisioning, and they do not push Conditional Access policies. Those are always manual steps in your tenant.

Figure 1 — Entra ID app integration setup flow

From adding an app to the first successful SSO test — the five steps every integration follows.

Quick check · Q1 of 10 · Understand

An Entra enterprise application (service principal) is best described as…

a) The same object as the app registration, just renamedb) The per-tenant instance of an app that carries user assignments, SSO config and provisioning settingsc) A policy that blocks guest users from signing ind) An OIDC redirect URI stored in the global app object

Correct: b. The service principal (enterprise application) is the per-tenant representation of the app — it holds assignments, SSO config, provisioning and CA linkage. The app registration is the global identity definition.

👉 So far: App registration = global identity (client ID, redirect URIs, permissions). Service principal = per-tenant instance (assignments, SSO, provisioning, CA). Two objects, one app.

② SSO protocols — SAML, OIDC/OAuth 2.0 and password-based

Entra ID supports three SSO methods. SAML 2.0 is the standard for most enterprise SaaS (Salesforce, ServiceNow, Workday, etc.). Entra acts as the IdP and issues signed XML assertions to the app's Assertion Consumer Service (ACS) URL. You configure Entity ID, ACS URL, signing certificate and claims mapping. SAML is SP-initiated (user goes to app first) or IdP-initiated (launched from My Apps portal).

OIDC / OAuth 2.0 is the right choice for modern apps, APIs and mobile clients. The app registers redirect URIs and receives ID tokens and access tokens instead of XML assertions. Gallery OIDC apps require the admin to consent to the app's requested permissions during onboarding — a one-time admin consent flow. For multi-tenant apps, only OIDC is supported (SAML SSO is greyed out for multi-tenant registrations).

Password-based SSO (form-fill) is a legacy fallback for apps that have no federation support — Entra injects saved credentials into the login form via the browser extension. Avoid for new integrations; use only as a bridge while migrating an old app.

Claims and attributes

Regardless of protocol, you configure claims mapping to control what identity data the app receives — typically email, UPN, display name, and group membership. In SAML this is the Attributes & Claims panel; in OIDC these are the optional claims in the app manifest.

Figure 2 — SAML 2.0 vs OIDC for enterprise SSO

Choose SAML for legacy enterprise SaaS, OIDC for modern apps, APIs and mobile clients.

📋

App Registration

tap to flip

The global identity definition for an app: client ID, redirect URIs, API permissions, certificates/secrets. Lives in your home tenant; can be multi-tenant.

🏢

Enterprise Application

tap to flip

The per-tenant service principal: holds user assignments, SSO config (SAML/OIDC), provisioning settings and Conditional Access linkage. This is what you manage day-to-day.

🔏

SAML Signing Cert

tap to flip

Entra's X.509 cert used to sign the assertion XML. Expires (typically 3 years). Rotate before expiry or every SP-initiated login breaks silently.

🔄

SCIM Provisioning

tap to flip

An HTTP API standard. Configure Tenant URL + secret token in the enterprise app blade. Entra syncs creates, updates and deactivations on a ~40-minute cycle.

Name the protocol and justify it

In an interview, never just say 'we use SSO'. Name the protocol (SAML or OIDC), give the reason (legacy SaaS vs modern API), and mention the key exchange values (ACS + EntityID for SAML; redirect URI + client ID for OIDC). That one sentence separates you from most candidates.

Quick check · Q2 of 10 · Apply

A team is building a new mobile app with a REST API backend. Which SSO protocol should they configure in Entra ID?

a) Password-based SSO for simplicityb) SAML 2.0, because it is the enterprise standardc) OIDC / OAuth 2.0, because it issues JWTs suited for APIs and mobile clientsd) Linked SSO, because no configuration is needed

Correct: c. OIDC/OAuth 2.0 is designed for modern apps — it issues access tokens (JWTs) that APIs and mobile clients use natively in Authorization headers. SAML XML assertions are browser-redirect based and not suited for direct API calls or native apps.

👉 So far: SAML for legacy enterprise SaaS (XML assertion, ACS + EntityID). OIDC/OAuth 2.0 for modern apps and APIs (JWT, redirect URI + consent). Password-based SSO only as a last resort.

③ Configuring enterprise app integration — end to end

The integration workflow in the Entra admin centre is: Add application (gallery search or 'Create your own'), configure SSO (choose SAML or OIDC, exchange metadata with the app vendor), assign users and groups, then test SSO using the Test button or a non-admin test account before enabling broad rollout.

For SAML, the key exchange is bidirectional. From Entra you give the app: the Login URL, Entra Entity ID (Issuer), and the SAML signing certificate (Base64 download or federation metadata XML). From the app you give Entra: the ACS (Reply) URL and the Service Provider Entity ID. Missing or mismatched any one of these four values is the source of most SAML failures.

User and group assignments

By default, enterprise applications require explicit assignment — only assigned users and groups can SSO into the app. You can relax this with 'Assignment required = No' for broad internal access, but for sensitive SaaS the default is the right security posture. Nested group support for assignment depends on the app.

Figure 3 — Service principal — the tenant access hub

One service principal connects assignments, SSO config, provisioning and Conditional Access for every enterprise app.

Forgetting that SSO and provisioning are independent

A very common production mistake: team enables SAML SSO, users can authenticate, but the app has no accounts for them so they see a blank screen or access-denied page inside the app. SSO only handles the token; provisioning (SCIM or manual) must create the account beforehand. Always test with a freshly provisioned account.

▶ Watch a SAML SSO login flow end to end

How Priya's browser gets a session in ServiceNow via Entra SAML. Press Play for the healthy path, then Break it to see the classic signing-cert failure.

① User to SPPriya clicks the ServiceNow tile in My Apps. ServiceNow generates a SAML AuthnRequest and redirects her browser to Entra.

▼

② Entra authnEntra validates Priya's session (or prompts MFA via Conditional Access), looks up her enterprise app assignment, and builds the SAML assertion with her claims.

▼

③ Assertion postedEntra signs the assertion with the SAML signing certificate and POSTs it to ServiceNow's ACS URL via a browser form post.

▼

④ SP validatesServiceNow verifies the signature against its stored Entra certificate, validates the Audience and NotOnOrAfter, creates a session, and loads Priya's dashboard.

Press Play to step through the healthy SAML round-trip. Then press Break it.

Quick check · Q3 of 10 · Analyze

A user gets a SAML error: 'Audience restriction validation failed'. Which configuration value is most likely mismatched?

a) The SP Entity ID configured in Entra does not match what the application expects in the assertion's Audience elementb) The ACS Reply URL has a typo in the Entra enterprise app bladec) The SAML signing certificate has expired on Entra's sided) The user is not assigned to the enterprise application

Correct: a. Audience restriction validation failed is specifically an EntityID / Audience mismatch: the Identifier (Entity ID) value configured in Entra does not match the SP's expected audience. ACS URL mismatches produce a different error (invalid reply URL); expired certs produce a signature error.

👉 So far: The four SAML exchange values that must match exactly: Login URL, Entra EntityID, Signing Certificate (Entra to App) and ACS URL + SP EntityID (App to Entra). One mismatch = 100% failure.

④ Provisioning, lifecycle & operations

SCIM provisioning is the automated backbone of the joiner-mover-leaver process. When the app supports SCIM, you configure a provisioning connector in the enterprise app blade: provide the Tenant URL and a secret token from the app, set scope (all assigned users, or assigned only), then run an initial sync cycle. Entra then pushes attribute changes, group memberships, and account deletions automatically on a roughly 40-minute cycle.

Provisioning and SSO are independent. A user can SSO successfully via SAML even if provisioning is off — the app must then have had their account created manually. Conversely, you can provision accounts to an app while the users log in with the app's own credentials (no SSO). For a clean production setup you want both: SCIM handles account existence, SSO handles the login experience.

Testing and troubleshooting

The Entra provisioning logs (under Monitoring) and the SAML-based SSO test panel are your two main diagnostic tools. For SAML failures, the test panel shows the raw assertion and the exact claim values Entra sent — compare these with what the app expects. For provisioning failures, the provisioning log shows the exact SCIM operation, the HTTP response from the app, and the attribute that caused the error. Common issues: mismatched EntityID, expired signing cert, missing required attribute in claims, or wrong SCIM endpoint URL.

Figure 4 — SP-initiated SAML SSO — step by step

The full SAML round-trip: user accesses the app, gets redirected to Entra, authenticates, and receives a signed assertion back at the ACS URL.

Priya at a Pune IT services firm faces this

After rotating the SAML signing certificate in Entra ID for a critical ServiceNow integration, every user gets a 'Response not signed correctly' error and cannot log in.

Likely cause

The new Entra signing certificate (Base64 PEM) was not uploaded to ServiceNow's certificate store before the old one was retired. ServiceNow is still validating assertions against the old, now-expired certificate.

Diagnosis

Check the SAML Signing Certificate panel in the enterprise app blade — the active cert is the new one. Check ServiceNow's Identity Provider record — it still holds the old certificate fingerprint.

Entra Admin → Enterprise Apps → ServiceNow → Single sign-on → SAML Signing Certificate (download new cert) → ServiceNow → Identity Providers → update certificate

Fix

Download the new Base64 certificate from Entra, update it in the ServiceNow Identity Provider record, save and test SSO. No Entra changes needed — only the SP side is stale.

Verify

Run the Entra SSO test panel with a non-admin test user: assertion validates correctly, session starts in ServiceNow, Entra audit log shows successful SAML response issued.

Always use the SAML test panel before production rollout

The Entra SSO test panel (Enterprise App → Single sign-on → Test) shows the exact assertion Entra will send, including all claim values. Run it as a non-admin test user, not as a Global Admin — admins bypass Conditional Access and assignment checks, so admin tests can pass while normal users are blocked.

Quick check · Q4 of 10 · Evaluate

A new employee can SAML SSO into the HR SaaS app (login succeeds) but sees a blank dashboard with no data. SCIM provisioning is disabled. What is the most likely explanation?

a) Their SAML assertion was rejected by the ACS endpointb) The Conditional Access policy is blocking their token after loginc) Their Entra account is disabled so the session terminates immediatelyd) No account was provisioned in the HR app, so the app has no data record to display for the user

Correct: d. SSO only handles authentication — the SAML assertion is valid so login succeeds. Without SCIM provisioning, no account exists in the HR app backend, so the app has no profile or data to show. SSO and provisioning solve different problems and must both be configured.

👉 So far: SCIM provisioning = account lifecycle (create/update/disable on ~40-min cycle). SSO = authentication token. Both are needed. Test with the SSO test panel as a non-admin assigned user.

🤖 Ask the AI Tutor

Tap any question — instant, scoped to this lesson. No login, no waiting.

Pre-curated from vendor docs + community Q&A, scoped to this lesson. For a live prod issue, paste your export into chat.techclick.in.

🧠 In your own words

Type one line: what is the difference between SSO and provisioning in Entra ID, and why do you need both? Then compare with the expert version.

Expert version: SSO handles authentication — it issues a token (SAML assertion or OIDC JWT) so the user's identity is vouched for at login. Provisioning handles the lifecycle — it creates, updates and deletes the user's account inside the target application via SCIM. You need both: without provisioning, a valid SSO assertion arrives at an app that has no account to match it to, and the user sees a blank screen or access denied. Without SSO, users still need separate passwords for the app even if their account is provisioned. Together they deliver the full joiner-mover-leaver experience: account ready on day one, updated when attributes change, and disabled the moment the user leaves.

🗣 Teach a friend

Best way to lock it in — explain it in one line to a teammate. Tap to generate a paste-ready summary.

📩 Quiz me on this in 7 days. Opt in and we'll email 3 micro-questions on Microsoft Entra ID at Day 1, Day 7 and Day 30 — spaced repetition is how this sticks. Un-tick any time.

📖 Glossary

App Registration: The global identity definition for an application in Entra ID: client ID, redirect URIs, API permissions and credentials. Lives in the home tenant.
Service Principal: The per-tenant instance of an application (the enterprise application) that holds user assignments, SSO config, provisioning settings and Conditional Access linkage.
SAML 2.0: Security Assertion Markup Language — a browser-redirect SSO protocol where Entra signs an XML assertion and POSTs it to the app's ACS URL. Best for legacy enterprise SaaS.
OIDC / OAuth 2.0: OpenID Connect over OAuth 2.0 — a token-based SSO protocol issuing JWTs, suited for modern apps, REST APIs and mobile clients.
ACS URL: Assertion Consumer Service URL — the endpoint on the SP that Entra POSTs the SAML assertion to after successful authentication.
SCIM: System for Cross-domain Identity Management — an HTTP API standard apps expose so Entra can automatically create, update and disable user accounts (joiner-mover-leaver).
Claims Mapping: Configuration of which identity attributes (email, UPN, groups, employee ID) Entra includes in the token or assertion sent to the application.
SAML Signing Certificate: The X.509 certificate Entra uses to sign the SAML assertion. Must be uploaded to the SP. Typically valid for 3 years — rotate before expiry or all logins break.

📚 Sources

Microsoft Learn — Overview of the Microsoft Entra application gallery. learn.microsoft.com/en-us/entra/identity/enterprise-apps/overview-application-gallery
Microsoft Learn — Enable SAML single sign-on for an enterprise application. learn.microsoft.com/en-us/entra/identity/enterprise-apps/add-application-portal-setup-sso
Microsoft Learn — Single sign-on SAML protocol — Microsoft identity platform. learn.microsoft.com/en-us/entra/identity-platform/single-sign-on-saml-protocol
Microsoft Tech Community — What's New in Microsoft Entra: May 2026. techcommunity.microsoft.com/blog/microsoft-entra-blog/whats-new-in-microsoft-entra-may-2026/4517884
Microsoft Learn — Microsoft Entra Connect: Use a SAML 2.0 Identity Provider for Single Sign-On. learn.microsoft.com/en-us/entra/identity/hybrid/connect/how-to-connect-fed-saml-idp
MSAdvance — Azure AD (Entra ID) Integration: SSO, OAuth, SAML & On-Prem Apps. msadvance.com/en/azure-ad-entra-id-integration-sso-oauth-saml-on-prem-apps

What's next?

Got SSO mapped? Next, go deep on Conditional Access policies — how Entra ID evaluates signals (user, device, location, risk) and enforces MFA or block actions before a token is ever issued.

Next · All interview lessons → Practice on exam.techclick.in →

Microsoft Entra ID SSO — App Integration, SAML, OIDC & Provisioning

🎯 By the end you will be able to

Pick where you want to start

Core concepts

SSO protocols

App integration

Provisioning & ops

① Core concepts — app registrations, service principals and the gallery

What the gallery does (and does not) give you

② SSO protocols — SAML, OIDC/OAuth 2.0 and password-based

Claims and attributes

③ Configuring enterprise app integration — end to end

User and group assignments

▶ Watch a SAML SSO login flow end to end

④ Provisioning, lifecycle & operations

Testing and troubleshooting

🤖 Ask the AI Tutor

📝 Wrap-up assessment — six more

🧠 In your own words

🗣 Teach a friend

📖 Glossary

📚 Sources

What's next?