# Microsoft SSO

## What is this?

[Avanoo](https://avanoo.ai/) is a tool that helps organisations optimise their tech stacks. We let your IT administrator see which Software-as-a-Service (SaaS) applications are being used so that your organisation can cut unused licenses, identify security vulnerabilities, and find tools that are better suited to its needs.

Avanoo was designed with privacy in mind and is not meant to track the employees’ work. We only collect a minimum amount of data strictly for the purposes cited above, and aim to be fully transparent regarding how the SSO works on your account and how we use your data.

This document aims to answer any questions you may have. Should you have any concerns that aren’t covered here, please do not hesitate to [reach out to us](#user-content-fn-1)[^1].  

## How does it work?

The Avanoo platform works in the background. Every day, it's fetching data from your Microsoft Entra to track users, groups, administrativeUnits, and SaaS activities changes.

To get this information, it needs two authorizations from your Microsoft Entra accounts:

* User.Read, to allow user connection using Microsoft as an identity provider.
* Directory.Read.All, to allow fetching of
  * users,
  * groups,
    * group members,
  * administrativeUnits,
    * administrativeUnit members,
  * servicePrincipal (SaaS application),
    * servicePrincipal users.
* AuditLog.Read.All, to fetch all SSO connection usage and add this information to your SaaS usage mapping.

Using this information, Avanoo will be able to monitor any changes in your environment and provide recommendations in case of user status changes or new SaaS being discovered.

We aim to limit the amount of data sent to our servers as much as possible. Thus, only 1 refresh per day will be sent to the Avanoo servers.

***

### Application Registry

To connect Avanoo to your Microsoft Entra tenant, you need to register an application and grant it the required permissions. Follow these steps:

#### 1. Register a new application

1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com/) with an account that has Global Administrator or Application Administrator privileges.
2. In the left navigation, go to Entra ID → App registrations.
3. Click + New registration.
4. Fill in the form:
   * Name: `Avanoo` (or any name your organisation prefers)
   * Supported account types: Select Accounts in this organizational directory only (Single tenant)
   * Redirect URI: Leave blank for now (not required for this integration)
5. Click Register.

#### 2. Note down the identifiers

On the app's Overview page, copy the following values — you will need to send them to us:

* Application (client) ID
* Directory (tenant) ID

#### 3. Create a client secret

1. In the left menu of your app registration, go to Certificates & secrets.
2. Under the Client secrets tab, click + New client secret.
3. Add a description (e.g. `Avanoo integration`) and choose an expiry period (we recommend 24 months).
4. Click Add.
5. Copy the secret Value immediately — it will only be displayed once. This is the third value you will need to send us.

#### 4. Add API permissions

1. In the left menu, go to API authorization.
2. Click + Add a permission → Microsoft Graph → Application permissions.
3. Search for and select the following permissions:
   * `User.Read (already present by default)`
   * `Directory.Read.All`
   * `AuditLog.Read.All`
4. Click Add permissions.
5. Back on the API permissions page, click Grant admin consent for \[your organisation] and confirm. A green checkmark should appear next to each permission.

> Note: The `User.Read` delegated permission is added by default and is used for user sign-in. The three permissions above are Application permissions (not delegated), meaning they allow Avanoo to read data in the background without requiring a user to be signed in.

#### 5. Send us the credentials

Once complete, send the following three values to us through the Avanoo app chat:

1. Application ID
2. Client secret Value
3. Directory (tenant) ID

We will use these to configure the integration on our end. Your data sync will begin within 24 hours.

<figure><img src="/files/aoAt7fUY9SwplqWFfXd2" alt=""><figcaption></figcaption></figure>

[^1]: mailto:<support@avanoo.ai>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.avanoo.ai/public-knowledge-base/integrations/identity-provider-and-sso/microsoft-sso.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.