Microsoft Entra SSO Configuration for Lega

Lega supports OAuth 2.0 and OIDC (OpenID Connect) standards to ensure secure login and to provide a seamless single sign-on (SSO) experience for users. This also allows customer admins to use their existing login systems and security policies to control access to Lega. We currently offer official support for Microsoft Entra and Okta.


Step 1: Register a New Application in Microsoft Entra

  1. Login to the Microsoft Entra Portal with appropriate administrative permissions.
  2. Go to Identity > Applications > App Registrations.
  3. Click New Registration and enter an application name, e.g., "Lega".
  4. Set Supported account types to Accounts in this organizational directory only to ensure only users in your Entra directory can log in.
  5. Enter the Web Redirect URI we provided in your onboarding email. If you do not have this URI, please contact Lega Support.
  6. Click Register.

Step 2: Configure the Application

  1. Select Certificates & secrets > + New client secret.
  2. Add a description (e.g., "Lega Secret") and select an expiration period. We suggest 6 months, but you can choose any period according to your firm's IT and security policies. If your client secret expires, you can notify us, and we can update our security systems with a new value.
  3. Click Add and copy the generated secret value. This value will not be shown again, though you can always generate a new secret.
  4. Lega requests certain information to verify user identity and to update your Lega instance with correct user details for reporting, permissions assignment, etc. An admin can consent to these requested details on behalf of the organization, or you can enter them here in advance.
    1. Go to Manage > API permissions > + Add a permission and verify that 'User.Read' permission is present under Microsoft Graph along with 'email', 'openid', and 'profile'.
    2. These permissions do not typically require admin consent but be sure to consent configuration here according to your organization's security requirements and standards. Consent is also configured at Enterprise Applications > User Settings. See Configure how users consent to applications for additional details.

Step 3: Configure Group Claims

Group claims allow Lega to receive the assigned groups a user is part of when a user logs in. This enables you to assign groups of users to Lega instead of individual users, and Lega will automatically synchronize these groups so you can use them to assign additional permissions with the Lega admin center.

  1. Under Manage, select Token configuration > Add group claim.
  2. Select Groups assigned to the application. This step is important, as it will only include groups that you explicitly assign to Lega.
  3. Click Save.

Step 4: Optionally configure App Roles (RECOMMENDED)

Assigning app roles allows you to map Lega-defined roles to groups and users in Entra so that they are automatically assigned when logging in. Skipping this step will assign the "User" role to all users.

Note: automatic role assignment can be disabled to allow setting roles in the Lega Admin Center instead of relying on your SSO provider.

  1. Under Manage, select App roles > + Create app role.
  2. Enter details for each role:
    • Suggested display names: "Lega Users", "Lega Creators", "Lega Policy Admins", "Lega System Admins".
    • Values (exact values required): User, Creator, PolicyAdmin, SystemAdmin
    • Allowed member types: Choose Users/Groups.
    • Ensure the role is enabled and click Apply.

Step 5: Assign Groups and Users

Users and groups are assigned using the Enterprise Application automatically created with the app registration.

  1. Go to Overview of the app registration and click Managed Application in local directory to easily go to the enterprise application. You can also access the enterprise application by going to Enterprise Applications in the Azure portal at any time.
  2. Go to Properties and choose options appropriate for your organization's needs and requirements. The most important option here is Assignment Required? - if "No", then ALL users in your directory will be able to login to Lega. We recommend "Yes" and following Step 3 below to explicitly control which users and groups can log in.
  3. Go to Users and Groups, click add user/group. Best practice is assigning groups and not individual users, but you can do both.
  4. If you configured App Roles, assign the appropriate app role here and save.

Final Step: Capture and share required details with Lega Support

  1. To complete the OIDC security configuration in your Lega instance, we need the Tenant ID, Client ID, and Client Secret copied from Step 2. Under Overview you will find Application (Client) ID and Directory (tenant) ID.
  2. Please share these details with your Lega Support contact.
Did this answer your question? Thanks for the feedback There was a problem submitting your feedback. Please try again later.

Still need help? Contact Us Contact Us