Setting up Single Sign-On (SSO) with Microsoft Entra ID

This guide walks you through configuring Microsoft Entra ID (formerly Azure AD) to allow your team to log into Clockk using their Microsoft 365 work accounts.

1. Log in to the Azure portal

Go to https://portal.azure.com and sign in with a Global Administrator account for your organization.

2. Open Microsoft Entra ID

  • In the search bar at the top, type "Entra ID"
  • Select Microsoft Entra ID

3. Register the Clockk app

  • Go to: Manage > App registrations
  • Click + New registration
  • Fill out the form:
    • Name: Clockk
    • Supported account types:
      → Select Accounts in this organizational directory only (Single tenant)
    • Redirect URI (Web):
      https://ca-central.api.clockk.com/integration/entra-id/install
  • Click Register

4. Send your IDs and client secret to Clockk

After registration, you’ll land on the app’s Overview page.

Send Clockk the following three values:

  • Application (client) ID
  • Directory (tenant) ID
  • Client Secret (generated in the next step)

We’ll use these to complete the SSO connection from the Clockk side.

5. Generate a Client Secret

Clockk uses the Authorization Code Flow with Microsoft Entra ID. This requires a client secret for our backend to securely exchange authorization codes for tokens.

  • In the left-hand menu of your app registration, go to Certificates & secrets
  • Under Client secrets, click + New client secret
    • Provide a description (e.g., “Clockk integration”)
    • Choose an expiry (we recommend 6 or 12 months)
  • Click Add
  • Copy the Secret Value (shown only once) and send it securely to Clockk along with the Application ID and Tenant ID.

⚠️ Do not send the Secret ID. Only the Secret Value is needed.

6. Configure authentication settings

  • In the left-hand menu, go to Authentication
  • Under Platform configurations, confirm the redirect URI is listed. If not, click Add a platform > Web and re-enter it.
  • Scroll down to Implicit grant and hybrid flows
    • Check both:
      • ☑️ Access tokens
      • ☑️ ID tokens
  • Click Save

7. (Optional) Set a Publisher Domain

This step improves the branding shown to your users during login.

  • Go to Branding & properties
  • Under Publisher domain, select your verified custom domain (e.g., yourcompany.com)
  • Save changes

ℹ️ This ensures users see your organization’s domain (rather than yourtenant.onmicrosoft.com) on the consent screen.

8. (Optional) Allow all users to sign in

If you want anyone in your organization to be able to log into Clockk without being manually assigned:

  • Go to Enterprise applications
  • Find and open the Clockk app
  • Go to Properties
  • Set User assignment required? to No

Otherwise, you’ll need to manually assign users.

Moving on to testing

Someone from the Clockk team will reply when we’ve set up your Entra ID OIDC profile in our database. Once that’s done, you can move on to testing. You’ll be able to use the “Enterprise SSO” button on the login page, or you can use the shortcut URL* that we’ll share with you to save you the step of entering your email address.

*If your company domain is liquidmedia.ca, then we’ll set up a shortcut URL such as liquidmedia.clockk.com that will take you straight to your company’s Microsoft auth login page. If you’re already logged in to Microsoft, you’ll be immediately redirected to Clockk.