Skip to main content
Organization Owner access is required in PlayerZero to configure SSO. Entra ID administrator access is required in Azure to create the app registration and adjust settings.

​
Overview

This guide walks you through creating a Microsoft Entra app registration and wiring it to PlayerZero. We use the OIDC Authorization Code flow with PKCE. PlayerZero only requests standard OIDC claims.

​
Prerequisites

  • A PlayerZero organization where you are an Owner
  • Admin access to Azure Portal for your tenant
  • PlayerZero redirect URL: https://playerzero.ai/api/auth/sso

​
Multi-Tenant SSO

If your organization uses multiple email domains, each domain requires its own SSO configuration in PlayerZero. You may reuse the same Entra app registration for all domains if you choose. For each domain:
  • Sign in to PlayerZero using an account from that domain
  • Create a new SSO configuration starting at Step 3 β€” Configure PlayerZero
PlayerZero will simply have one SSO configuration per domain, regardless of how you organize Entra (single app or multiple apps).

​
Step 1 β€” Create the App Registration in Entra

  1. Select Single Tenant account type
  2. Add as Web registration using the redirect URL:
    • https://playerzero.ai/api/auth/sso
  3. Create and store a Client Secret.

​
Step 2 β€” API Permissions (OpenID Connect)

  1. In the app registration, open API permissions β†’ Add a permission β†’ Microsoft Graph β†’ Delegated permissions.
  2. Add these scopes:
    • openid
    • profile
    • email
    • offline_access
  3. Grant admin consent for your tenant.

​
Step 3 β€” Configure PlayerZero

  1. In PlayerZero, open Settings β†’ SSO Configuration β†’ Add SSO Configuration.
  2. Fill in: Fetch SSO config from well-known endpoint with your OpenID Connect metadata document endpoint.
  3. Click Fetch from Well-Known (PlayerZero will query: https://login.microsoftonline.com/<Directory (tenant) ID>/v2.0/.well-known/openid-configuration)
  4. Verify your organization’s domain and other autofilled settings.
  5. Enter your Client ID and Client Secret Value.
  6. Add the openid profile email offline_access scopes.
  7. Toggle on Use PKCE (Proof Key for Code Exchange).

​
Step 4 β€” Test the Connection

  1. In PlayerZero SSO Configuration, click Test Connection.
  2. Complete the Microsoft sign-in in the popup.
  3. On success, click Save Configuration.

​
Next Steps β€” Rollout & User Impact

Once SSO is saved and enabled, PlayerZero will invalidate existing sessions:
  • All users will be logged out of PlayerZero.
  • When users log back in through SSO, they will be able to access all previous work. No data will be lost in the transition.