Configure SSO With Azure

New
  • Published on Dec 11, 2025
Prev Next

Introduction

This guide provides step-by-step instructions for setting up Single Sign-On (SSO) with Branch using Microsoft Entra ID (formerly Azure Active Directory) as your Identity Provider (IdP).

This guide will:

  1. Help you get your configuration details from Branch.

  2. Show you how to create and configure a SAML 2.0 application in Microsoft Entra ID.

  3. Link you back to the main Configure SSO guide to complete the setup.

Configure SSO

To configure SSO, you’ll need to get your unique URLs from Branch, configure Microsoft Entra ID, and then finish the setup in Branch.

Before you begin

Before you begin, ensure you have:

  • Admin access to your Branch account.

  • Admin access to your Azure portal and the Microsoft Entra ID service.

  • SSO enabled for your Branch account.

    • Access to SSO requires a premium plan. Please contact our Sales team to learn more about pricing and availability.

Step 1: Get configuration details from Branch

  1. In Branch, navigate to Account Settings → SSO.

  2. Select the Setup SSO button.

  3. You will be taken to a new browser tab. In this tab, select Get Started.

  4. In the Select Your Identity Provider section, select Custom SAML. Then select Next.

  5. You will land on the Configure Custom SAML page. Keep this browser tab open and copy the following two values, as you will need them for step 5 below:

    • Single Sign-On URL (also known as Assertion Consumer Service URL)

    • Service Provider Entity ID (also known as Audience URI)

  6. Select Next.
    Branch configuration settings for SAML application including Single Sign-On URL and Entity ID.

Step 2: Create a custom SAML app in Azure

Now, log in to the Azure portal to create the Branch enterprise application.

  1. In the Azure portal, navigate to Microsoft Entra ID → Enterprise applications.

  2. Select New application.

  3. Select Create your own application.

  4. Enter an application name (e.g., “Branch SSO”) and select the option to Integrate any other application you don’t find in the gallery (Non-gallery).

  5. Select Create.

    Creating an enterprise application for Branch SSO configuration using Microsoft Entra ID in the Azure portal.

Step 3: Configure SSO settings in Azure

Within your new enterprise application in Azure, configure the SAML settings.

  1. Navigate to Single sign-on in the left menu.

  2. On the Select a single sign-on method page, select the SAML tile.

  3. In the Basic SAML Configuration section, select Edit.
    Configure SAML settings for a Branch enterprise application using Microsoft Entra ID.

  4. Fill in the fields using the values from the Branch tab you kept open from step 1:

    1. Identifier (Entity ID): Paste the Service Provider Entity ID from Branch.

    2. Reply URL (Assertion Consumer Service URL): Paste the Single Sign-On URL from Branch.

  5. Select Save.
    Basic SAML configuration settings for an enterprise application for Branch SSO using Microsoft Entra ID.

Step 4: Map attributes in Azure

Branch requires three attributes to be sent in the SAML response to provision and identify users.

Warning

To set up a successful mapping, you must use the attribute names firstName, lastName, and email exactly as they are capitalized and spelled here. Do not use URN or OID formats.

  1. In the Attributes & Claims section, select Edit.

  2. Delete any default claims that are not required (you can keep the default unique user identifier claim).

  3. Add the following three attributes by selecting Add new claim for each:

    Claim Name

    Value

    email

    user.mail

    firstName

    user.givenname

    lastName

    user.surname

  4. For each attribute:

    1. Enter the Name exactly as shown above (case-sensitive).

    2. Set the Namespace to blank (leave empty).

    3. Select Attribute as the Source.

    4. Select the corresponding Source attribute from the table above.

    Attributes and claims settings for user identification and additional claims in SAML for Branch SSO configuration using Microsoft Entra ID.

Step 5: Get federation metadata from Azure

Branch needs your Microsoft Entra ID federation metadata to complete the connection.

  1. In the SAML Certificates section of your Azure SAML configuration, locate the App Federation Metadata Url.

  2. Copy this URL so you have it ready for the next step.
    SAML certificate details including App Federation Metadata URL for Branch SSO configuration using Microsoft Entra ID.

Note

Below the SAML Certificates section in Azure, you will see a section called Set up Branch SSO. This is for manual setup using individual values.

Using the App Federal Metadata Url instead is the automatic and recommended setup.

Step 6: Complete connection in Branch

Now you’ll provide Microsoft Entra ID’s metadata to Branch and test the connection.

  1. Go back to your Branch Configure Custom SAML browser tab.

  2. Complete step 2.3 in our main guide. Paste the App Federation Metadata Url from Azure into the Metadata URL field in Branch.

  3. Select Create Connection.

Step 7: Test SSO

Use step 2.4 from our main SSO guide to test the connection between Microsoft Entra ID and Branch.

More information

For more complete information about configuring SSO for Branch, visit our Configure SSO (General SAML) guide.