Azure AD Setup

Microsoft Azure Active Directory (AD) is a multi-tenant, cloud-based identity management system. To enable your organization's Blackbaud IDs to sign in to Blackbaud solutions through an Azure AD identity provider (IdP), create an Azure AD application in your Azure AD portal and configure the following settings in Authentication:

  • Your organization's primary domain, such as yourdomain.onmicrosoft.com (To view your domains in the portal, select Azure Active Directory, Custom domain names.)

  • The ID generated when you create your application

  • The value generated when you create your application's key

To prevent inadvertent lockouts:

  • Complete configuration during a maintenance window for your organization's network.

  • Ensure that you have a Blackbaud ID outside of your claimed domains with access to Authentication.

  1. In Admin, select Authentication.

  2. Under Authentication settings, select Manage SSO settings.

  3. Under Single sign-on, select Azure AD.

  4. Under Configure your connection, select Get started or Edit connection.

  5. Enter your organization's primary Azure AD domain from the Azure AD portal.

    To view your domains in the Azure AD portal, select Azure Active Directory, Custom domain names.

    Warning: If you don't claim your primary domain, then users with that domain in their email addresses can't sign in.

  6. Copy the redirect URI.

  7. In a separate browser tab, sign in to your Azure AD portal with an administrator account, and create an application.

    Warning: These instructions include guidance for the Azure AD portal, but Blackbaud does not manage the portal. If the portal changes, we recommend checking Microsoft's official guidance in the Azure AD documentation instead.

    1. Select Azure Active Directory.

    2. Under Manage, select App registrations.

    3. Select New registration.

    4. Enter a unique name for the application.

    5. Under Supported account types, specify who can use the application.

    6. Under Redirect URI, select "Web" and then paste the redirect URI (https://blackbaudinc.auth0.com/login/callback).

    7. Select Register. Azure AD creates the application.

  8. Copy the application ID.

  9. Return to Blackbaud's Configure Azure AD application screen.

  10. Paste the application ID.

  11. Return to your application in the Azure AD portal to set permissions.

    1. Under Manage, select API Permissions.

    2. Under Configured permissions, select Add a permission.

    3. On the screen that appears, select Microsoft Graph.

    4. On the screen that appears, select Delegated Permissions.

    5. Under User, select User.Read.

    6. Select Add permissions.

    7. Under Configured permissions, select the Grant admin consent option for Blackbaud ID, and select Yes to confirm the action.

  12. Add a secret key to secure your application's credentials in the Azure AD portal .

    1. Under Manage, select Certificates & secrets.

    2. Under Client secrets, select New client secrets.

    3. Enter a description for the key.

    4. Select when the key expires. If you set an expiration for security, remember to update your key before it expires to ensure that users can continue to sign in with their Blackbaud IDs. To refresh a key, you can select Update application key under Single sign-on with Azure AD in Authentication.

    5. Select Add. Your new secret key appears in the Client secrets grid.

  13. Copy the secret key in the Value column of the grid.

    Warning: Don't copy the ID in the Secret ID column. You cannot use this value to refresh your Azure AD application key.

  14. Return to Blackbaud's Configure Azure AD application screen.

  15. Paste the secret key, and select Finish.

To properly recognize and redirect members to your IdP when they sign in, identify which email domains your organization uses. For more information, see Claimed Email Domains.

After you set up your Azure AD application and claim your email domains, test the connection to verify your organization can now use its IdP to sign in to Blackbaud solutions. For more information, see Test Mode.

Tip: If your email address is not the same as the User Principal Name (UPN) for your Azure AD application, then you need to configure an email address claim. By default, Azure AD SSO connections use the UPN as the email address. For more information, see Azure AD Email Address Claim.

After you set up your connection, you can turn on SSO through Azure AD. When you turn on SSO, anyone who signs in to their Blackbaud ID with one of your claimed domains is redirected to your IdP. After they authenticate through your IdP, their Blackbaud ID:

  • Automatically redirects to your organization's login for future sign-ins

    Tip: By default, members redirect to their Blackbaud ID profile when they sign in through your organization's login. To instead open a different Blackbaud solution, edit the redirect. For more information, see Redirect Settings.

  • Uses your IdP for password updates, lockouts, and similar authentication management

To complete the connection to your IdP, select Learn about connecting SSO and Connect with Azure AD.

Note: After you enable SSO, resend any pending invitations sent before the connection to Azure AD.

Tip: For a visual reference of the steps to set up Azure AD as the identity provider (IdP) for an SSO connection with Blackbaud ID, see our Blackbaud Developers Conference presentation.

To clear your setup and start over, select Erase all single sign-on settings. For more information, see Single Sign-on Setup.

If you have issues with your Azure AD application, see SSO Connection Troubleshooting.