| title | shortTitle | intro | product | versions | topics | redirect_from | ||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Configuring OIDC for Enterprise Managed Users |
Configure OIDC |
Learn how to automatically manage access to your enterprise account on {% data variables.product.prodname_dotcom %} by configuring OpenID Connect (OIDC) single sign-on (SSO) and enabling support for your IdP's Conditional Access Policy (CAP). |
{% data reusables.gated-features.emus %} |
|
|
|
{% data reusables.enterprise-accounts.azure-emu-support-oidc %}
With {% data variables.product.prodname_emus %}, your enterprise uses your identity provider (IdP) to authenticate all members. You can use OpenID Connect (OIDC) to manage authentication for your {% data variables.enterprise.prodname_emu_enterprise %}. Enabling OIDC SSO is a one-click setup process with certificates managed by {% data variables.product.prodname_dotcom %} and your IdP.
{% data reusables.enterprise-accounts.emu-cap-validates %} See AUTOTITLE.
{% data reusables.enterprise-accounts.emu-cap-public-preview %}
You can adjust the lifetime of a session, and how often a {% data variables.enterprise.prodname_managed_user %} needs to reauthenticate with your IdP, by changing the lifetime policy property of the ID tokens issued for {% data variables.product.prodname_dotcom %} from your IdP. The default lifetime is one hour. See Configure token lifetime policies in the Microsoft documentation.
To change the lifetime policy property, you will need the object ID associated with your {% data variables.product.prodname_emus %} OIDC. See AUTOTITLE.
[!NOTE] If you need assistance configuring the OIDC session lifetime, contact Microsoft Support.
{% data reusables.enterprise_user_management.SAML-to-OIDC-migration-for-EMU %}
{% data reusables.enterprise-accounts.oidc-gei-warning %}
Support for OIDC is available for customers using Entra ID.
Each Entra ID tenant can support only one OIDC integration with {% data variables.product.prodname_emus %}. If you want to connect Entra ID to more than one enterprise on {% data variables.product.prodname_dotcom %}, use SAML instead. See AUTOTITLE.
OIDC does not support IdP-initiated authentication.
- Sign into {% data variables.product.prodname_dotcom %} as the setup user for your new enterprise with the username @SHORT-CODE_admin. {% data reusables.enterprise-accounts.access-enterprise-emu %} {% data reusables.enterprise-accounts.identity-provider-tab %} {% data reusables.enterprise-accounts.sso-configuration %}
- Under "OIDC single sign-on", select Enable OIDC configuration.
- To continue setup and be redirected to Entra ID, click Save. {% data reusables.enterprise-accounts.emu-azure-admin-consent %} {% data reusables.enterprise-accounts.download-recovery-codes %}
- Click Enable OIDC Authentication.
After you enable OIDC SSO, enable provisioning. See AUTOTITLE.
You can use the role of guest collaborator to grant limited access to vendors and contractors in your enterprise. Unlike enterprise members, guest collaborators only have access to internal repositories within organizations where they are a member.
To use guest collaborators with OIDC authentication, you may need to update your settings in Entra ID. See AUTOTITLE.