Before you begin
Make sure you have:- Owner or admin access to your Base44 enterprise workspace.
- Admin access to the Microsoft Entra admin center.
- Your workspace ID, the string of characters after
/workspace/in your enterprise workspace URL.
Set up single sign-on
Create an Entra App registration for Base44, add a client secret, then enter the app’s details in your workspace settings.Step 1: Register the app
Create the Entra App registration that represents Base44 sign-in. To register the app:- In the Microsoft Entra admin center, go to App registrations.
- Click New registration.
- Enter a name that identifies your workspace, for example your company name.
- Under Supported account types, choose the option that matches your organization. If you are unsure, click Help me choose.
- Under Redirect URI, select Web and enter your workspace callback URL, replacing
{{WORKSPACE_ID}}with your workspace ID:https://app.base44.com/api/workspaces/{{WORKSPACE_ID}}/auth/sso/callback - Click Register.
After registering, open API permissions and confirm the app has User.Read and the openid, email, and profile permissions. These let Entra return the user’s email at sign-in. New app registrations include
User.Read by default, so you usually only need to confirm it is there.Step 2: Create a client secret
Generate the secret Base44 uses to authenticate with Entra. To create a client secret:- In your app, go to Certificates & secrets.
- Click New client secret, add a description that helps you recognize this workspace, then click Add.
- Copy the secret from the Value column, not the Secret ID, and store it somewhere safe.
Step 3: Copy your IDs
From the app Overview page, copy:- Application (client) ID: This is your Client ID in Base44.
- Directory (tenant) ID: This is your Tenant ID in Base44.
Step 4: Add your details in Base44
Add the SSO app credentials to your workspace. To configure SSO in Base44:- Click your workspace name at the top left of your account.
- Click Settings.
- Click Auth and security.
- Enable the toggle next to Single Sign-On Configuration.
- In Select SSO Provider, choose Microsoft Azure AD.
- Enter your Client ID and Client Secret from the SSO app.
- In the Tenant ID field, enter a value based on which accounts you want to allow:
- Your directory (tenant) ID from Entra: Only users from your organization.
common: Personal Microsoft accounts and work or school (Microsoft 365) accounts.organizations: Work and school accounts only (Microsoft 365).
- Keep Scope as
openid email profile. - The Discovery URL fills in automatically from your tenant ID. Confirm it looks correct before continuing.
- Click Enable SSO.
To control which users see SSO on the login page and what role new members get, set up verified domains and the default role in the same Auth and security settings.
Step 5: Give your team access
People can sign in once they are assigned to your SSO app in Entra. To let users sign in:- In the Microsoft Entra admin center, go to Enterprise applications and open your SSO app.
- Click Users and groups, then Add user/group.
- Select the users or groups that should be able to sign in, then click Assign.
FAQs
Select a question below to learn more about Entra SSO.Do I need separate Entra apps for SSO and SCIM?
Do I need separate Entra apps for SSO and SCIM?
Yes. Base44 signs in over OIDC, so SSO uses an App registration, while SCIM provisioning uses a separate Enterprise application. Use the App registration’s Client ID, Client Secret, and Tenant ID for SSO, and set up provisioning separately. See SCIM provisioning for Microsoft Entra ID.
Sign-in fails with an email error
Sign-in fails with an email error
Confirm your app has the openid, email, and profile API permissions and that Scope in Base44 is
openid email profile. These let Entra return the email address Base44 needs to create the member’s account.Can I disable SSO later?
Can I disable SSO later?
Yes. Workspace admins can disable SSO from Auth and security in your workspace settings at any time.