You can choose to enforce SAML SSO for with Azure for added security. Once set up, users in your organization can use their managed Azure account credentials to sign in to via Single Sign-On (SSO).

In this Article:

  • Connect to

  • Create an App

There are 2 steps to set up Azure SSO:

Step 1: Connect your SSO to your instance of

Steps to setup SSO ( instructions)

Step 2: Create an App within your SSO

Azure Active Directory SSO integration with (Microsoft instructions)


Q. As soon as the user tries to log in, they are returned to the main screen and see the error ‘Sorry, we could not sign you in’

A. This will happen when Azure AD has denied access to the user. Please check with the sysadmin to resolve this issue from the Azure AD end.

Q. What to do when there is an error message: ‘Could not authenticate you from AzureOAuth2 because “Access Denied”?

Graphical user interface, application

Description automatically generated

A. Please check if the user has been invited to the organization. In a non-SAML enforced organization, accepting the invite is mandatory (for setting a password). Once the user accepts the invite from email, they would be able to access the account without any issues.

Q. What to do when there is an error message: ‘The change you wanted was rejected. Maybe you tried to change something you didn’t have access to.’?

Graphical user interface, application

Description automatically generated

A. Check if both first name and last name claims are given for the user in Azure AD. Username is mandatory when creating users via SAML and if it is not present, SAML login will fail. Please refer to point 7 in Azure setup Tutorial:
This can be corrected in the claim & user profiles in Azure AD.

Q. What to do when there is an error message: ‘AADSTS650056: Misconfigured Application’?

A. Check if the Identifier URL was missing or incorrectly set up in the Azure AD setup. Ensure that the Issuer attribute in the SAML request matches the Identifier value configured in Azure AD. Please note that the identifier URL will contain the UUID as well.

Q. The email ID and the UPN (User Principal Name) are different for each user in Azure AD for my organization. How do I set this up correctly?

A. application expects a few attributes to be passed back in SAML response that are pre-populated, but you can review them as per your requirements.


Source Attribute







Instead of mapping the email to the attribute user.userprincipalname, you can map email to the attribute user.mail.

You can follow the steps below to add new claims or edit existing ones:

- In the Azure portal, navigate to app > Set up SSO > SAML

- Edit the Attributes & Claims section

- Add a new Claim by entering the name, namespace URL, the source (as ‘Attribute’) and selecting the Source Attribute from the drop-down.
- Save the new Claim and utilize it to map the correct values in your setup as required.

Graphical user interface, text, application, email

Description automatically generated

Q. How can I synchronize the manager information from my Azure AD to Ally?

A. As of now, it is not possible to send the manager info from Azure AD to Ally since the claims for the manager attributes are not yet supported by Azure.

Did this answer your question?