Microsoft Entra SSO
Energyworx supports signing in with Microsoft Entra ID (formerly Azure Active Directory) work or school accounts. Users click Sign in with Microsoft on the login page, authenticate against your organization's own Microsoft directory, and are returned to the Energyworx platform — no separate Energyworx password required.
This is a multi-tenant integration: your users authenticate in your own Microsoft Entra directory (your company's tenant), not in an Energyworx-managed one. Energyworx only needs to know which directory to trust and which email domains belong to you.
Microsoft Entra SSO must be enabled per customer by Energyworx. Raise a request with the Service Desk with the details in Information to provide below. Until Energyworx has allow-listed your directory and registered your email domain, Microsoft sign-in will be rejected.
Like SAML, Microsoft SSO can automatically provision users on first sign-in instead of the manual process — see How to add a new user. It can be used alongside SAML and Google sign-in.
How sign-in works
- The user clicks Sign in with Microsoft on the Energyworx login page.
- They are redirected to Microsoft and authenticate against your organization's Entra directory (if not already signed in).
- The first time your organization uses the Energyworx application, Microsoft shows a consent prompt (see Admin consent).
- Microsoft returns the user to Energyworx, which establishes a session and opens the dashboard.
Setting up Microsoft SSO for your organization
Information to provide
Open a Service Desk request to enable Microsoft SSO and include:
| Item | Where to find it |
|---|---|
| Microsoft Entra Tenant (Directory) ID | Microsoft Entra admin center → Microsoft Entra ID → Overview → Tenant ID (a GUID like cd1e37b7-…). |
| Email domain(s) your users sign in with | The domain part of your users' email / UPN, e.g. yourcompany.com. List all that apply. |
| The Energyworx environment | e.g. your production or staging URL. |
Energyworx will then allow-list your tenant and register your email domain(s) against your organization. You'll get a confirmation when it's ready.
Admin consent
Because users authenticate in your own directory, a Microsoft Entra administrator in your organization must approve the Energyworx application once. This happens in one of two ways:
- On first sign-in: the first admin to sign in sees a "Permissions requested" screen with an option to consent on behalf of your organization. Approving it enables sign-in for all your users.
- Proactively: your Entra admin can grant admin consent to the Energyworx application in advance — ask Energyworx Service Desk for the application (client) ID if you'd like to do this before rollout.
The application only requests the ability to sign you in and read your basic profile (name and email); it does not request access to your mailbox, files, or other data.
Some organizations block user consent by policy, in which case an admin must grant consent before anyone can sign in. If users see a message that an administrator must approve the application, forward it to your Entra admin.
Requirements
- Each user must have an email address or User Principal Name (UPN) on one of the registered domains.
- Each email domain is associated with exactly one Energyworx organization. If a domain needs to map to a different organization, mention it in your request.
Adding a new email domain
To let users from an additional email domain sign in with Microsoft (for example after a rebrand, an acquisition, or a sister company such as a second brand on the same account):
- Open a Service Desk request titled "Add Microsoft SSO email domain".
- Provide:
- the new email domain (e.g.
newbrand.com); - the Microsoft Entra Tenant (Directory) ID that domain belongs to (it may be the same directory you already use, or a different one);
- the Energyworx environment.
- the new email domain (e.g.
- Energyworx registers the new domain against your organization, and — if the domain lives in a directory not yet trusted — adds that directory to the allow-list.
- If the new directory is a different tenant, a Microsoft admin for that directory grants admin consent as in Admin consent.
No change is required on your users' side beyond signing in with their new-domain account; the registration takes effect without downtime.
Automatic whitelisting and permissions
As with SAML, Microsoft SSO supports automatic whitelisting of new users and mapping of permission groups so users gain the right access on first sign-in. See the SAML page (Automatic whitelisting, Permissions Group mapping, User data mapping) — the same Billing Account and Namespace configuration applies.
Troubleshooting
| What the user sees | Likely cause | What to do |
|---|---|---|
| "The selected user account does not exist in tenant 'Energyworx' … must be added as an external user" | Your directory has not been allow-listed yet (request not completed). | Confirm the Service Desk request is done; provide your Tenant ID if not yet supplied. |
| Sign-in succeeds at Microsoft but the user is returned to the login page | The user's email domain is not yet registered against your organization. | Provide the email domain to the Service Desk (see Adding a new email domain). |
| "Need admin approval" / consent error | Your tenant requires admin consent. | Have your Microsoft Entra admin grant admin consent to the Energyworx application. |
| The Microsoft prompt shows an "unverified" notice | Cosmetic; does not block sign-in. | No action needed — Energyworx is completing Microsoft publisher verification. |