Microsoft SSO: Rollout Guide
A practical guide for admins setting up and enforcing Microsoft Entra ID single sign-on in SmartBarrel. The goal is a clean rollout where no one gets locked out. The single most important recommendation: do not enforce SSO on day one.
Before you start: what you need
- A Microsoft admin who can grant consent. Setup requires someone whose Microsoft account holds one of these Entra roles: Global Administrator, Privileged Role Administrator, Cloud Application Administrator, or Application Administrator. Global Administrator is the most common. This same person needs to run the SmartBarrel setup, because the approval step happens under their Microsoft sign-in.
- Your company email domain(s). Know every domain your users sign in with, including any subsidiaries. Personal email domains (gmail, outlook, yahoo, and similar) cannot be registered.
- A list of anyone who does not use a company Microsoft account. Contractors, shared accounts, or people on personal email will need an SSO exclusion. Identify them now.
- A plan for Entra app assignment. Decide who gets assigned to the SmartBarrel app in Entra. Assigning by group rather than one person at a time requires Entra P1 or higher.
- At least two intended SSO Admins. These are the people who are responsible for the configuration and keep password access if Microsoft is ever unreachable. More on this below.
Step 1: Connect SmartBarrel to Microsoft
In SmartBarrel, go to Settings, then Security & Privacy, then the SSO section, and click Enable on the Microsoft provider card. You will be sent to Microsoft to sign in and grant consent to the SmartBarrel application in Entra. Approving creates the connection and automatically makes you the first SSO Admin.
At this stage, nothing is enforced. SSO is available but optional, and users can still login with their password.
Step 2: Register your domains
Add every company domain your users sign in with. If a domain is rejected, it is either already claimed by another company or on the blocked personal-domain list. Contact support if you believe a rejection is wrong.
Step 3: Assign users in Entra
Have your IT admin assign the right users to the SmartBarrel app in Entra ("Assignment required" in Enterprise Applications). Users who are not assigned will be blocked by Microsoft even if everything on the SmartBarrel side is correct. This is one of the most common causes of "it works for me but not for them," so confirm coverage before you go further.
Step 4: Pilot before enforcing
Leave enforcement off and have a small pilot group sign in with Microsoft. Each pilot user sees a one-time account-linking screen the first time, then lands in SmartBarrel normally. Confirm that:
- Pilot users can complete Microsoft sign-in and reach their ecosystem.
- People you expect to be excluded (personal email, contractors) still sign in the way you intend.
- Anyone who reports a failure gets checked before you move on.
Step 5: Make sure it works for everybody
When you click Enforce SSO, SmartBarrel scans all your users for email domains that are not on your registered list. This is your safety net.
- If there are no domain mismatches, enforcement turns on.
- If there are domain mismatches, enforcement does not turn on. You get a list of every mismatched user, and for each you either update their email to a registered domain or mark them SSO-excluded. Once the list is clear, you confirm and enforcement turns on.
Best practice: run this scan early, well before your planned enforcement date, so you can resolve mismatches calmly rather than under pressure on the day.
A note on exclusions. Excluded users can keep signing in with email and password, and standard SmartBarrel MFA still applies to them. Exclusions are set on the Worker Profile and persist even if you later turn enforcement off and back on.
If you have multiple SmartBarrel ecosystems
If your organization runs more than one SmartBarrel ecosystem on the same Microsoft tenant, do not register the same domain in each one. Instead:
- Pick one ecosystem as the primary owner of SSO. Register the domain and manage SSO configuration there.
- Enforcement then applies to every user on that domain, no matter which ecosystem they have an account in. In practice this means that once SSO is enforced for someone, they use Microsoft sign-in everywhere they have access in SmartBarrel.
- The other ecosystems do not register the same domain again.
Plan this before you start, because it decides where you do the setup.
Keep at least two SSO Admins
SSO Admins are your recovery path. They can always sign in with email and password, even when SSO is enforced, and they receive SSO-related notifications. If Microsoft is ever unreachable or the connection is removed, an SSO Admin signs in with a password and either disables enforcement or reconnects.
Keep at least two. SmartBarrel requires a minimum of one and will not let you remove the last one, but two or more protects you if a single admin is unavailable. Relying on a single SSO Admin is the main way a company can risk locking itself out.
Communicate before you enforce
Enforcement changes how people sign in, so treat it as a change, not a switch.
- Announce what is changing (sign in with Microsoft instead of a password), why, and who it affects.
- Set and share a specific enforcement date with your user base.
- Tell people what to expect the first time: a one-time screen linking their account to Microsoft.
- Give them a contact for problems.
Enforcement day
- Confirm the enforcement scan is clean, with no mismatches.
- Confirm Entra app assignment covers everyone.
- Confirm everyone using SSO can successfully log in to the Dashboard with Microsoft.
- Turn on enforcement.
After enforcement
- New users no longer create a password. If SSO is enforced, their invitation email links them straight to Microsoft sign-in.
- To pause SSO temporarily, disable enforcement. The Microsoft connection stays intact and users can sign in with a password again.
- To stop permanently, disable enforcement and then have your IT admin remove the SmartBarrel app from your Entra tenant. Admins can also revoke consent from SmartBarrel by disconnecting Microsoft.
Quick pre-flight checklist
- Microsoft admin with a consent-capable role is ready
- All company domains identified and registered
- Anyone not on a company Microsoft account identified and excluded
- Entra app assignment covers everyone who needs access
- Pilot group tested successfully
- Enforcement scan run and domain mismatches resolved
- At least two SSO Admins in place
- Company informed, with an enforcement date set