Synthetix

Microsoft Azure SSO with Synthetix

Synthetix supports Single Sign-On (SSO) using Microsoft Azure Active Directory (Azure AD / Microsoft Entra ID). This allows your users to sign in with their existing Microsoft work accounts, helping reduce password fatigue and enabling you to apply your organization’s standard identity security controls.

Requirements
To use SSO with Synthetix, your organization must be using Azure AD / Entra ID.

How it works
When a user signs in to Synthetix, the user is redirected to Microsoft to authenticate.

  1. Microsoft validates the user’s identity and applies your policies (for example MFA and Conditional Access, if configured).
  2. Microsoft returns a secure sign-in token to Synthetix.
  3. Synthetix verifies the token and signs the user in.

Azure groups and access control

Synthetix can support group-based access, where Azure AD groups are used to represent Synthetix access roles or entitlements. Customers can either:

Create the required groups manually in Azure AD (this is supported but involves extra setup steps) OR Enable the option for Synthetix to create the required groups automatically.

Note: Group membership (adding/removing users) remains customer-managed in Azure AD.

Microsoft Graph permissions used
To support sign-in and (where applicable) the group functionality described above, Synthetix uses the following Microsoft Graph permissions:

  • User.Read – identifies the signed-in user (basic profile information)
  • Directory.Read.All – reads directory information required to support the integration
  • Group.ReadWrite.All – enables creation and deletion of Azure AD groups used for Synthetix access (where configured)

Security review note (for IT/security teams)

Synthetix requests group permissions to support deployments where Synthetix-specific Azure AD groups are required. Customers can create these groups themselves, but this involves additional configuration steps to ensure the groups are aligned correctly for Synthetix to reference. Synthetix does not manage group membership (for example, adding/removing users); customers retain full control of membership within Azure AD. The only group actions performed by Synthetix are group creation and deletion in the customer tenant.

Related articles
  1. Managing Long-Lived Access Tokens
  2. Managing SSO groups in Synthetix Cloud
Powered by Synthetix