This guide details how to integrate Microsoft Entra ID with Abacus.AI for user management.
This document outlines the setup process for integrating Microsoft Entra ID (formerly Azure AD) with Abacus.AI for user management and Single Sign-On (SSO). It also includes best practices, security requirements, and answers to commonly asked enterprise questions. For SAML-based instructions, please see the instructions here.
Log into your Microsoft Entra admin dashboard
Go to the Enterprise applications tab and select the installation of Abacus.AI with Application ID: b89bbf6f-22a7-4b66-9bcf-6a80edf04dc5.
Go to the permissions tab and ensure the following permissions are enabled:
| Permission | Description | Needed for SSO |
|---|---|---|
| Application.Read.All | Read applications | No |
| Directory.Read.All | Read directory data | No |
| View users' email address | Yes | |
| offline_access | Maintain access to data you have given it access | Yes |
| openid | Sign users in | Yes |
| profile | View users' basic profile | Yes |
| User.Read | Sign in and read user profile | Yes |
| User.ReadBasic.All | Read all users' basic profiles | Yes |
If not already there, you may have to click the "Grant admin consent" button first. The above screenshot is from after granting admin consent.
Go to the "Users and groups" tab and press "Add user/group".
Select the users or groups you want to give access to, along with their corresponding roles:
Admin - The user is an admin on the Abacus.AI Chat and platform.
Chat User - The user only has access to the Abacus.AI Chat.
Platform User - The user has access to the Abacus.AI Chat and platform.
While Microsoft Entra ID Governance is not strictly necessary for single sign-on (SSO) integration, it becomes essential when you want to leverage group-based role assignments and automated identity management features as group assignments are not avalailable from Microsoft without this plan.
Your team can still use SSO integration if you're willing to accept the limitations of manually assigning roles to individual users. However, if you want to assign roles to user groups and enable access to private group-specific bots for "Chat Users," then Entra ID Governance is necessary, but only 1-2 licenses would be needed for the admins who will manage and maintain the groups.
The Microsoft Entra ID P2 license is mandatory for integration with Abacus.AI. It is required to enable critical features such as Dynamic Group Management, which allows you to assign roles to user groups instead of individual users. This is essential for managing access efficiently in larger organizations. Additionally, without a P2 license, certain third-party applications (like Abacus.AI) may not appear in the Enterprise Applications section of Microsoft Entra ID, as the license unlocks advanced application visibility and management capabilities.
The P2 license also provides Advanced Security Features like Conditional Access, Identity Protection, and Privileged Identity Management (PIM), ensuring secure access to Abacus.AI. It enables Directory and Application Permissions, allowing seamless management of directory data and role assignments. Furthermore, it includes compliance tools like Access Reviews, which are critical for maintaining governance and periodically validating user access.
Without the P2 license, you will not be able to:
If your team only wants SSO login, then you can stop here. However, if you also want to manage groups for your chatbot, please continue.
Select Organization:
Access Connected Services Dashboard:
Add New Connector:
Connect Microsoft Entra ID:
Verify Connector Status:
Enable Feature:
- On Microsoft, users must be internal members and not guests. The emails should be of the form `@domain.com`, not `ext@domain-on-microsoft.com`
- When logging into the `https://workspace.abacus.ai/chatllm` application using Microsoft SSO, the user must switch their Microsoft organization to their targeted directory.