# Microsoft Entra ID (Formerly Azure AD)

To add your Microsoft Entra ID tenant, you must have permissions within the tenant to grant organisational consent to the TIS Platform application. Click on "**Add to my organisation**". You will be redirected to the Microsoft login page to grant consent to the application.&#x20;

<figure><img src="/files/A3bXoNhCBo0gEn7SdQJz" alt="" width="375"><figcaption></figcaption></figure>

Make sure you choose the Microsoft work or school account that is a part of the tenant you wish to connect. Read the requested permissions for the TIS Platform application, and click "**Accept**" if you are happy to proceed. If you do not accept, you **will not** be able to use Microsoft Entra ID as a login method for the TIS Platform.

<figure><img src="/files/pGcIGyOI5kByFUhqJUvS" alt="" width="375"><figcaption></figcaption></figure>

Once you grant the TIS Platform permission for your organisation, you will be redirected back to the administration panel, and a popup will appear, prefilled with your tenant ID.&#x20;

### Configuration Options

#### Display Name - *Required*

The Display Name is for administrative purposes only and will not be visible to users, as all Microsoft Entra ID connections will only be shown on the TIS Platform login screen as a single "**Sign in with Microsoft**" button. This setting is for your administrators to differentiate between multiple Microsoft Entra ID tenants, as multiple connections can be added.

#### Tenant ID - *Prefilled*

This tenant ID is prefilled from the previous step and **cannot be changed**. If the tenant ID is incorrect, please restart the setup process and ensure you grant consent using an account that is part of the tenant you wish to setup a connection for.&#x20;

#### Merge Users Where Email Matches an Existing Account

We recommend **leaving this disabled**. For more details, please see [General Options](/single-sign-on-sso/general-options.md#merge-users-where-email-matches-an-existing-account).

#### Email Attribute

This is the attribute that should be used to retrieve an email for the user. By default we use `preferred_username`, however this may also be passed as `email` or `verified_primary_email` depending on your Entra ID setup. If you are not sure, you can create the connection using the default setting, and then use "**Test SSO Login**" to review the information passed by Microsoft. You can then use the "**Edit Provider**" button to update this if necessary.

### Role and Group Mappings

For more information on how role and group mappings work, please see [Role and Group Mappings](/single-sign-on-sso/role-and-group-mappings.md).

For Microsoft Entra ID, **Security Groups** are used for role and group mappings. To map your Security Groups, please retrieve the **Object ID** for the group to use in the "**Group Object ID**" field. This can be found on the Overview page for the Security Group.&#x20;

<figure><img src="/files/SadbjgkRO5ZGbo2g94GM" alt="" width="375"><figcaption></figcaption></figure>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.tistraining.com/single-sign-on-sso/connection-types/microsoft-entra-id-formerly-azure-ad.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.