The SSO ticket link you have received will guide you through the setup process for creating a SSO connection to Legora with Entra ID (previously known as Azure Active Directory / AD). Please find important clarifications for some steps in this document.
When entering Microsoft Entra ID Domain, add the actual domain your users have and not the microsoft provided domain, i.e. legora.com not legora.onmicrosoft.com
If you leverage multiple domains for users, for example legora.com and legora.se, please reach out to your Legora support and inform them about this. The self-serve portal does not currently support adding multiple domains.
Make sure you add the client secret value, not the secret ID.
Access control models with SSO
By default, Legora uses Auto-membership ON, where user access is fully managed through Microsoft Entra ID. This setup is recommended for most organizations because it provides the simplest experience and centralizes control. Anyone assigned to the Legora enterprise app in Entra can sign in via SSO and will automatically join the organization.
If you prefer tighter control or want to manage membership directly inside Legora, you can disable auto-membership by reaching out to our support. In that case, users must still be allowed in Entra to authenticate, but they’ll only gain access once they’ve been explicitly invited to the organization.
1) Auto-membership ON (fully controlled in Entra)
What it means
Any user granted access to the Legora enterprise app in Microsoft Entra ID can sign in via SSO and will be:
JIT-provisioned — their Legora user account is automatically created on first login.
Automatically added to the Legora organization.
How it works
Entra controls who can authenticate via app assignment, Conditional Access, and MFA.
Auth0 handles authentication and JIT provisioning.
Legora automatically:
Creates the user (if not already existing).
Adds them to the organization.
Lifecycle
Grant access: Add the user or their group to the Legora enterprise app in Entra → user can log in and will automatically join the organization.
Revoke access: Remove the user or group from the app in Entra → user can no longer sign in.
(The Legora user account remains but cannot be accessed unless re-granted in Entra.)
2) Auto-membership OFF (dual control: Entra + Legora)
What it means
Users can still sign in and are JIT-provisioned (their account is created automatically), but they are not automatically added to the Legora organization.
If they haven’t been invited and accepted the invitation, they’ll see a message:
“You’re not a member of this organization.”
How it works
Entra governs who can authenticate.
Auth0 still performs JIT provisioning (user record is created).
Legora enforces organization-level membership:
If the user is not a member, access stops after login.
Once invited and invitation accepted, the next SSO login grants full access automatically.
Lifecycle
Grant access: IT allows the user in Entra and a Legora admin invites them.
Revoke access: Remove from Entra to block login, or remove from Legora to revoke membership.
Frequently Asked Questions
Q: What happens when a user is removed from the enterprise app in Entra?
They immediately lose the ability to sign in to Legora. Their Legora user record remains in the system but cannot be accessed unless they’re re-granted access in Entra. (Legora does not currently support SCIM-based automatic deletion.)
Q: Why does a user see “You’re not a member of this organization” after signing in?
This happens when auto-membership is OFF.
The user has successfully authenticated via Entra (and been JIT-provisioned), but they’re not yet a member of the Legora organization.
An admin must invite them in Legora, after the user accepts the invite, their next SSO login will succeed.
Q: Does Legora support SCIM provisioning?
Not yet. User provisioning and deprovisioning happen via:
Entra for authentication (who can sign in)
Legora for membership (who can access the organization)
For now, removing a user in Entra only blocks future logins, it does not delete their Legora profile.
Q: We have multiple domains but SSO is not triggered for all
The self-serve link does not currently support adding multiple domains, but this can be enabled from the backend. Please reach out to Legora support to get this resolved.