Sign in with Microsoft in Dynatrace SaaS SSO

  • Latest Dynatrace
  • How-to guide
  • 2-min read

Using a Microsoft corporate account and the Sign in with Microsoft option can streamline the sign-in process.

To sign in to Dynatrace SaaS SSO using a Microsoft account

  1. Select Sign in with Microsoft without entering a login in the login field.

  2. On first usage, you are presented with a Permission requested message on the Microsoft portal, where you are asked to allow Dynatrace to process your name and email address before proceeding.

    When you select Accept, you are redirected to the Microsoft sign-in screen, where you can easily authenticate with the credentials to your corporate Microsoft account.

Sign in with Microsoft triggers a login process using the OpenID Connect Protocol, but works in the same manner as when you enter your email address in the Dynatrace sign-in form. Signing in with Microsoft can also accelerate the authentication process with Azure: if your domain is configured to use SAML federation with Dynatrace, it will be used as part of the login flow.

Domain name and federation

Once the user is authenticated in Microsoft, Dynatrace receives their username. Based on the domain of the email address and the environment the user wants to access (see environment discovery algorithm), Dynatrace determines whether to switch to the SAML federation flow or not (see federation discovery algorithm).

  • If the federation is found, the user is redirected to the SAML IdP for authentication.

  • If the federation is Azure, the user is seamlessly signed in without needing to re-enter their credentials.

  • If no eligible SAML federation is found:

    • If the user exists in Dynatrace, the sign-in process is completed and a user session is created.
    • If the user does not exist in Dynatrace, the sign-in request is denied.

FAQ

Why can't users get past the "Permission requested" message?

Some Azure IdP configurations prohibit users from allowing the Dynatrace OpenID Enterprise Application to give consent to profile information. For a solution, see these instructions for configuring consent and permissions in the Dynatrace Community.

Why did a Dynatrace OIDC application appear on my Enterprise applications after using the "Sign in with Microsoft" flow?

When you use the "Sign in with Microsoft" flow, you're essentially initiating an OpenID Connect (OIDC) authentication process. This flow involves creating a trust relationship between your application and Microsoft Entra ID, which results in the automatic registration of an Enterprise Application in your tenant.

Why are claims like openid, email, and profile required during the first "Sign in with Microsoft" attempt?

To complete the process, the value of preferred_username field from ID token is required. To receive the preferred_username field in the ID token, your app must request the following scopes during the authentication flow:

  • openid: This is the foundational scope for any OIDC flow. It tells the identity provider (Microsoft Entra ID) that you want an ID token issued.
  • profile: This scope grants access to basic user profile information—like name, family name, and yes, preferred_username.
  • email: While not strictly required for preferred_username, this scope ensures you get the user's email if it's available, which is often used as the preferred_username value.
Related tags
Dynatrace Platform