The SSO ticket link and this handbook will guide you through the setup process for creating a SSO connection to Legora with Entra ID (previously known as Azure Active Directory / AD).

Step 1: Create the Azure App registration

The SSO ticket link you have received will guide you through the setup process for creating a SSO connection to Legora with Entra ID.

Open the SSO link you received from Legora
Select Entra as your identity provider
In a new tab, login to Microsoft Azure and go to your Entra application
Go to the App registration tab and select “+ New registration”
Fill out the form and register:
- Name - Give it a name you can remember and that reflects what the application is for like “Legora SSO setup”
- Supported account types - Leave the preselected (Legora only - Single tenant)
- Redirect URI - Leave empty at this step
Copy and save your Application (client) ID for a later step

Step 2: Setup your Platform configuration

Navigate to the “Redirect URIs” from within your app registration
Select “Add a platform” and choose the Web option
Paste the redirect url found in the SSO guide into the redirect URI
Check both “Access tokens” and “ID tokens” and then Configure

Redirect URIs:
EU: https://auth.eu.legora.com/login/callback
US: https://auth.us.legora.com/login/callback
AP: https://auth.ap.legora.com/login/callback

Step 3: Generate your client secret

In Certificates & secrets create a new client secret using the “+ New client secret”
Fill out the details:
- Description - Add a name and description that clearly describes what the secret is for, for example “Legora SSO secret”.
- Expires - Select the time for how long the secret should be valid.
  1. Note: Set yourself a reminder for when it will expire so you have a reminder to create a new one a few days before it expires.
- Add the secret, copy the Secret value and save it in a secure place.
  1. Important: It is the value you need to save and use, not the ID. If you do not save it at this step, you will not be able to access it later but instead need to create a new one.
- Go back to the SSO ticket and click continue.

Step 4: Generate your client secret

Add the Configuration Connection details
- Microsoft Entra ID domain - Should be your primary domain. This can be found in Azure under Domain names. Make sure you save this correctly, you can not edit after clicking Create Connection.
  1. Note: This is youre primary domain so should not be the Microsoft provided one. Eg. . legora.com not legora.onmicrosoft.com
- Client ID - The ID you saved in step 1
- Client Secret - The secret value saved in step 3.
- Callback URL - Added in Step 2.
Select “Create Connection”

Step 5: Assign the users and groups

From the App registration, navigate to your newly created “Managed application”
In the properties tab, you can select if you want all users to have access to the app or if it should be managed manually. This setting is default off and can be found under “Assignement required”
If you decide you want an assignment to be required, navigate to the Users and Groups tab, select add user/ group and then the Users and groups tab.
Search and add all users or groups who should have access to Legora and the select Assign.

Step 6: Test the connection

Go back to your SSO ticket and test the connection.
In the new window, you will be asked to approve some permissions (in some cases this needs to be approved by an admin who will have to approve before you can continue). Click Accept.
1. Note: If you get an error message, read it thoroughly as it will call out exactly what is wrong. Go back and update incorrect information if needed. If you can, contact [email protected] for support.
In the main SSO ticket, you will see the test was successful as a confirmation when all worked.

Step 7: Enable the connection

In the bottom right corner, select “Enable Connection” to finish the setup of SSO for your organisation.

Access control models with SSO

By default, Legora uses Auto-membership ON, where user access is fully managed through Microsoft Entra ID. This setup is recommended for most organizations because it provides the simplest experience and centralizes control. Anyone assigned to the Legora enterprise app in Entra can sign in via SSO and will automatically join the organization.

If you prefer tighter control or want to manage membership directly inside Legora, you can disable auto-membership by reaching out to our support. In that case, users must still be allowed in Entra to authenticate, but they’ll only gain access once they’ve been explicitly invited to the organization.

1) Auto-membership ON (fully controlled in Entra)

What it means

Any user granted access to the Legora enterprise app in Microsoft Entra ID can sign in via SSO and will be:

JIT-provisioned — their Legora user account is automatically created on first login.
Automatically added to the Legora organization.

How it works

Entra controls who can authenticate via app assignment, Conditional Access, and MFA.
Auth0 handles authentication and JIT provisioning.
Legora automatically:
- Creates the user (if not already existing).
- Adds them to the organization.

Lifecycle

Grant access: Add the user or their group to the Legora enterprise app in Entra → user can log in and will automatically join the organization.
Revoke access: Remove the user or group from the app in Entra → user can no longer sign in.
(The Legora user account remains but cannot be accessed unless re-granted in Entra.)

2) Auto-membership OFF (dual control: Entra + Legora)

What it means

Users can still sign in and are JIT-provisioned (their account is created automatically), but they are not automatically added to the Legora organization.

If they haven’t been invited and accepted the invitation, they’ll see a message:

“You’re not a member of this organization.”

How it works

Entra governs who can authenticate.
Auth0 still performs JIT provisioning (user record is created).
Legora enforces organization-level membership:
- If the user is not a member, access stops after login.
- Once invited and invitation accepted, the next SSO login grants full access automatically.

Lifecycle

Grant access: IT allows the user in Entra and a Legora admin invites them.
Revoke access: Remove from Entra to block login, or remove from Legora to revoke membership.

Frequently Asked Questions

Q: What happens when a user is removed from the enterprise app in Entra?

They immediately lose the ability to sign in to Legora. Their Legora user record remains in the system but cannot be accessed unless they’re re-granted access in Entra. (Legora does not currently support SCIM-based automatic deletion.)

Q: Why does a user see “You’re not a member of this organization” after signing in?

This happens when auto-membership is OFF.

The user has successfully authenticated via Entra (and been JIT-provisioned), but they’re not yet a member of the Legora organization.

An admin must invite them in Legora, after the user accepts the invite, their next SSO login will succeed.

Q: Does Legora support SCIM provisioning?

Not yet. User provisioning and deprovisioning happen via:

Entra for authentication (who can sign in)
Legora for membership (who can access the organization)

For now, removing a user in Entra only blocks future logins, it does not delete their Legora profile.

Q: We have multiple domains but SSO is not triggered for all

The self-serve link does not currently support adding multiple domains, but this can be enabled from the backend. Please reach out to Legora support to get this resolved.