# Using Microsoft Entra for SSO

{% hint style="warning" %}
When you register the ENGAGE application with Microsoft Entra, you must grant the application `User.Read` as a delegated permission for the Microsoft Graph API. For more information, refer to [Overview of Microsoft Graph permissions](https://learn.microsoft.com/en-us/graph/permissions-overview?tabs=http) in the Microsoft documentation.
{% endhint %}

{% hint style="warning" %}
If you incorrectly configure SSO for your group, members of your group will not be able to log in to the application. Ensure that you test your SSO log-in after you configure it.
{% endhint %}

To enable SSO for your Enterprise group and any subgroups, complete the following steps:

1. Go to <https://app-eap.engagevr.io/>, and then log in.
2. From the menu, select **Groups**.
3. Select the name or the **View** icon for the group.
4. Select the **Security** tab, and then select **Single Sign-On (SSO)**.

<figure><img src="https://136486474-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F0HDETjRCd2UdV2BaIb1H%2Fuploads%2Fgit-blob-e664749d91089cc041be4fdf826da725e0b86cb2%2Fsso_option.png?alt=media" alt=""><figcaption><p>Link to access SSO configuration settings</p></figcaption></figure>

5. On the **SSO** page, from the **SSO Provider** list, select **Microsoft Entra ID**.
6. Enter your **Client ID**, **Tenant ID**, and **Client Secret**. For more information about these fields, contact your SSO provider.
7. From the **Enforcement** list, choose one of the following options:
   * To require all members of the group or subgroups to use SSO to log in, select **Full**.
   * To require only members of the group or subgroups with specific email addresses to use SSO to log in, select **Partial**. Then, for each domain that you want to require SSO for, enter the domain in the **Domain Name** field, and then select **Add**.
8. Select **Apply**.