Loading
Salesforce now sends email only from verified domains. Read More
Help Agent Performance DegradationRead More
Identify Your Users and Manage Access
Table of Contents
Filter by (0)Add
Select Filters

          No results
          No results
          Here are some search tips

          Check the spelling of your keywords.
          Use more general search terms.
          Select fewer filters to broaden your search.

            Search all of Salesforce Help
            Search all of Salesforce Help
            Configure a Microsoft® Access Control Service Authentication Provider

            You are here:

            1. Salesforce Help
            2. Docs
            3. Identify Your Users and Manage Access

            Configure a Microsoft® Access Control Service Authentication Provider

            You can use Microsoft Access Control Service as an authentication provider using the OAuth protocol. Typically, a Microsoft Office 365 service like SharePoint® Online handles authorization. SSO authentication from a Microsoft authentication provider isn’t supported.

            Required Editions

            Available in: Lightning Experience and Salesforce Classic
            Available in: Enterprise, Performance, Unlimited, and Developer Editions
            User Permissions Needed
            To view the settings: View Setup and Configuration
            To edit the settings:

            Customize Application

            AND

            Manage Auth. Providers

            To configure a Microsoft Access Control Service authentication provider, complete these steps.

            • Define a Microsoft Access Control Service authentication provider in Salesforce.
            • Register your app with Microsoft, making Salesforce the application domain.
            • Edit your Microsoft Access Control Service authentication provider details in Salesforce to use the consumer key and consumer secret generated when you registered your app with Microsoft.
            • Test the connection.

            Define a Microsoft Access Control Service Authentication Provider in Salesforce

            Before you can register an app in SharePoint Online or the Microsoft Seller Dashboard, you need the callback URL that redirects the authorized user to Salesforce.

            1. From Setup, in the Quick Find box, enter Auth. Providers, and then select Auth. Providers | New.
            2. For the provider type, select Microsoft Access Control Service.
            3. Enter a name for the provider.
            4. Enter the URL suffix, which is used in the client configuration URLs. For example, if the URL suffix of your provider is MyMicrosoftACSProvider, your SSO URL is similar to https://mydomain_url or site_url /services/auth/sso/MicrosoftACSProvider.
            5. For Consumer Key, enter a placeholder value. You can edit this value after your app is registered with Microsoft.
            6. For Consumer Secret, enter a placeholder value. You can edit this value after your app is registered with Microsoft.
            7. For Authorize Endpoint URL, enter the base URL from your provider for the Authorize Endpoint URL. For example, SharePoint Online uses this form: https://<sharepoint online host name>/_layouts/15/OAuthAuthorize.aspx
            8. For Token Endpoint URL, enter the URL in this form: https://accounts.accesscontrol.windows.net/<tenant>/tokens/OAuth/2?resource=<sender ID>/<sharepoint online host name>@<tenant>
              • <tenant> is the Office 365 tenant name ending with .onmicrosoft.com or the corresponding tenant globally unique identifier (GUID).
              • <sender ID> is the identifier for the sender of the token. For example, SharePoint uses 00000003-0000-0ff1-ce00-000000000000.
            9. Optionally, set these fields:
              • For Default Scopes, enter the scopes to send along with the request to the authorization endpoint. For more information about scopes for SharePoint Online, see http://msdn.microsoft.com/en-us/library/jj687470.aspx#Scope. For more information about using scopes with Salesforce, see Customize Relying Party Data Requests.
              • If you enter a consumer key and consumer secret, the consumer secret is included in SOAP API responses by default. To hide the secret in SOAP API responses, deselect Include Consumer Secret in SOAP API Responses. Starting in November 2022, the secret is always replaced in Metadata API responses with a placeholder value. On deployment, replace the placeholder with your consumer secret as plain text, or modify the value later through the UI.
              • For Custom Error URL, enter the URL for the provider to use to report any errors.
              • For Custom Logout URL, enter a URL to provide a specific destination for users after they log out, if they authenticated using the SSO flow. Use this field to direct users to a branded logout page or destination other than the default Salesforce logout page. The URL must be fully qualified with an http or https prefix, such as https://acme.my.salesforce.com.

                Configure single logout (SLO) to automatically log out a user from Salesforce and the identity provider. As the relying party, Salesforce supports OpenID Connect SLO when the user logs out from the identity provider or Salesforce.

              • To use a portal with your provider, select the portal from the Portal dropdown list. If you have a portal set up, this option can redirect the login request to the portal login page. Otherwise, leave as None.
              • For Icon URL, add a path to an icon to display as a button on the login page for a site. This icon applies to an Experience Cloud site only. It doesn’t appear on your Salesforce login page for or My Domain login URL. Users click the button to log in with the associated authentication provider for the site.

                Specify a path to your own image, or copy the URL for one of our sample icons into the field.

            10. To use the Salesforce multi-factor authentication (MFA) functionality instead of your identity provider’s MFA service, select Use Salesforce MFA for this SSO provider. This setting triggers MFA only for users who have MFA applied to them directly. For more information, see Use Salesforce MFA for SSO.
            11. Save your work.

            Note the generated Auth. Provider ID value. You can use it with the Auth.AuthToken Apex class.

            Several client configuration URLs are generated after defining the authentication provider.

            • Test-Only Initialization URL—Admins use this URL to ensure that the third-party provider is set up correctly. The admin opens this URL in a browser, signs in to the third party, and is redirected to Salesforce with a map of attributes.
            • OAuth-Only Initialization URL—Use this URL to obtain OAuth access tokens for a third party. Users must authenticate with Salesforce for the third-party service to get a token. This flow doesn’t provide for future SSO functionality.
            • Callback URL—Use this URL for the endpoint that the authentication provider calls back to for configuration. The authentication provider has to redirect to the callback URL with information for each client configuration URL.

            Client configuration URLs support additional request parameters that enable you to direct users to log in to specific sites, obtain customized permissions from the third party, or go to a specific location after authenticating.

            Register Your App with Microsoft

            Before you can configure an app for Salesforce, you must get an app identity using one of the options provided by Microsoft. For details about registering a remote app for SharePoint, see Guidelines for registering apps for SharePoint 2013.

            1. Register your app using one of the options provided by Microsoft.
            2. Modify the app settings, and set the redirect URI to the authentication provider’s callback URL.
            3. Note the client ID and client secret.
            4. Save your work.

            Edit Your Microsoft Access Control Service Authentication Provider Details

            After registering your app with Microsoft, go back to your Microsoft Access Control Service authentication provider details. Update the consumer key and consumer secret with the values provided by Microsoft.

            1. From Setup, in the Quick Find box, enter Auth. Providers, and then select Auth. Providers.
            2. Next to the name of your Microsoft Access Control Service authentication provider, click Edit.
            3. For Consumer Key, enter the Microsoft client ID.
            4. For Consumer Secret, enter the Microsoft client secret.

            Test the Connection

            In a browser, open the Test-Only Initialization URL on the Auth. Provider Setup page. It redirects you to Microsoft and asks you to sign in. You’re then asked to authorize your app. After you authorize, you’re redirected to Salesforce.

             
            Loading
            Salesforce Help | Article