Microsoft SSO: Overview
SmartBarrel supports single sign-on (SSO) with Microsoft Entra ID. Your team can sign in to SmartBarrel using their company Microsoft account instead of a separate SmartBarrel password. This article explains what the feature does, how to set it up, how signing in works, and what admins can control.
What SSO does
- Lets your users sign in to SmartBarrel with their company Microsoft account.
- Lets you require Microsoft sign-in for everyone on your company's email domains.
- Hands identity checks, including multi-factor authentication, to Microsoft, so SmartBarrel does not ask for a second factor on top.
- Keeps SmartBarrel access in step with Microsoft: if someone's Microsoft account is disabled, SmartBarrel deactivates their account automatically.
What SSO does not do
- It does not create SmartBarrel accounts. A person must already have a SmartBarrel account to sign in with SSO.
- It does not set or change anyone's role or permissions in SmartBarrel.
- It does not sync users or groups from Microsoft into SmartBarrel.
- It is not available in the mobile app. SSO applies only to dashboard sign-in.
- It works with Microsoft Entra ID only. Other identity providers are not supported.
What your users will experience
The sign-in page looks the same for everyone. There is one login screen with an email and password option and a "Sign in with Microsoft" button. Users do not need to know in advance which method applies to them.
The first time they use Microsoft sign-in, they will see a one-time screen that links their Microsoft account to their existing SmartBarrel account. After they confirm, they will not see it again. Their role and access in SmartBarrel do not change.
Signing in with Microsoft:
- The user clicks "Sign in with Microsoft."
- Microsoft signs them in, including any multi-factor step your organization requires.
- The user picks which company (ecosystem) they are entering, if they belong to more than one.
- They land in SmartBarrel. SmartBarrel does not ask for a separate multi-factor code, because Microsoft already handled it.
Signing in with email and password (for users who are not required to use SSO) works as it always has, including standard SmartBarrel multi-factor authentication if you have it turned on.
Multi-factor authentication
How a person signs in decides how multi-factor works:
- Microsoft sign-in: identity assurance and multi-factor are handled by your Microsoft setup. SmartBarrel does not add its own step.
- Email and password sign-in: standard SmartBarrel multi-factor still applies. The "Remember this device" option applies to password sign-in only.
What is changing for new users
Previously, every new user received an email with a temporary password to reset on first login. That step is gone:
- If SSO is required for them, their invitation email links them straight to Microsoft to sign in. No SmartBarrel password is created.
- If SSO is not required, their invitation email lets them set a password directly, with no temporary-password step.
Setting up SSO (for admins)
Two things need to be in place before a user can sign in with SSO:
- They are assigned to the SmartBarrel app in Microsoft. Your IT admin controls who is assigned in Entra.
- They already have a SmartBarrel account. SSO connects an existing account to Microsoft; it never creates one.
Setup is done by an admin whose Microsoft account can grant consent for your organization (typically a Global Administrator, or a Privileged Role, Cloud Application, or Application Administrator). From SmartBarrel, that admin goes to Settings, then Security & Privacy, then the SSO section, and enables the Microsoft provider. Approving in Microsoft connects the two and makes that admin your first SSO Admin.
For the full step-by-step, including how to test before turning SSO on for everyone, see the Rollout Guide.
Enforcing SSO
Turning SSO on and requiring it are two separate things:
- Enabling connects SmartBarrel to Microsoft and makes Microsoft sign-in available.
- Enforcing requires the affected users to sign in with Microsoft. Enforcement applies to your registered email domains.
When you enforce, SmartBarrel checks all your users first. If anyone is on an email domain you have not registered, enforcement will not turn on until you either update their email or exclude them. This prevents locking out people who were not ready.
Excluding individuals. You can exclude specific users from SSO so they keep signing in with email and password (for example, contractors or anyone not on a company Microsoft account). Standard SmartBarrel multi-factor still applies to them.
SSO Admins
An SSO Admin is your safety net, not a special permission level. Any company admin can configure SSO. What makes SSO Admins different is that they:
- Can always sign in with email and password, even when SSO is enforced.
- Receive SSO-related notifications.
Because they keep password access, SSO Admins are how you get back in if Microsoft is ever unreachable. Keep at least two. SmartBarrel requires at least one and will not let you remove the last one.
Domains
- Each email domain can belong to only one company in SmartBarrel.
- The Domain must be verified in Entra to be added in SmartBarrel
- You can register more than one domain (for example, a parent company and its subsidiaries).
- Personal email domains (such as gmail, outlook, and yahoo) cannot be registered. Users on personal email are handled with an exclusion instead.
If you have more than one SmartBarrel ecosystem
If your organization runs multiple SmartBarrel ecosystems under the same Microsoft tenant, choose one ecosystem to own the SSO setup and register your domain there. Once SSO is required for a user, they will use Microsoft sign-in everywhere they have access in SmartBarrel. See the Rollout Guide for how to plan this.
When someone leaves
If a person's Microsoft account is disabled, SmartBarrel notices during its regular background check and deactivates their SmartBarrel account, usually within about an hour. This blocks all SmartBarrel access, not just the dashboard. If their Microsoft account is later re-enabled, an admin reactivates them in SmartBarrel; it does not happen automatically.
Turning SSO off
- To pause it, turn off enforcement. Users can sign in with a password again, and the Microsoft connection stays in place.
- To stop it entirely, turn off enforcement and then have your IT admin remove the SmartBarrel app from your Microsoft tenant.
If you get locked out
If SSO ever blocks access (for example, the Microsoft connection is removed), an SSO Admin signs in with email and password and either turns off enforcement or reconnects. If every SSO Admin loses access at once, contact SmartBarrel support and we can help you recover.
Sign-in problems
All sign-in failures show the same general message for security reasons, so the message itself will not say what went wrong. If a user cannot sign in, an admin can work through the checks in the Login Troubleshooting Guide.