Sign in with Microsoft in Dynatrace SaaS SSO

How-to guide
2-min read
Published Nov 24, 2023

Using a Microsoft corporate account and the Sign in with Microsoft option can streamline the sign-in process.

To sign in to Dynatrace SaaS SSO using a Microsoft account

Select Sign in with Microsoft without entering a login in the login field.
On first usage, you are presented with a Permission requested message on the Microsoft portal, where you are asked to allow Dynatrace to process your name and email address before proceeding.

When you select Accept, you are redirected to the Microsoft sign-in screen, where you can easily authenticate with the credentials to your corporate Microsoft account.

Sign in with Microsoft triggers a login process using the OpenID Connect Protocol, but works in the same manner as when you enter your email address in the Dynatrace sign-in form. Signing in with Microsoft can also accelerate the authentication process with Azure: if your domain is configured to use SAML federation with Dynatrace, it will be used as part of the login flow.

Limitations

Your Dynatrace user has to exist before you can use Sign in with Microsoft.
- User can be created either by SAML Just in Time provisioning (provide only your email on the Dynatrace login screen, then you will be redirected to your IdP) or via SCIM integration.
You can't use Sign in with Microsoft to sign in to an account federation or environment federation. Only global federations are supported.
You can't use Sign in with Microsoft as an account federated guest.

Domain name and global federation

How the sign-in process works depends on whether the user's email address domain is in global federation.

User's email address domain is in global federation?

Sign-in process

Yes

We switch to SAML flow, which uses JIT-provisioning to create your user and create the session.

Does the user exist in Dynatrace?

Yes: Sign in with Microsoft flow creates a user session and complete the sign-in process.
No: Sign in with Microsoft flow denies the sign-in request. Currently, on-the-fly user creation is not supported in such cases.

Frequently asked questions

Some Azure IdP configurations prohibit users from allowing the Dynatrace OpenID Enterprise Application to give consent to profile information. For a solution, see these instructions for configuring consent and permissions in the Dynatrace Community.

Currently, only globally scoped federations are supported. The Sign in with Microsoft option won't work as expected for Account federated guests because they log in using account default federation, which has the account scope instead of the global one. However, we are actively working on enabling this feature for tenant and account federations.

When you use the "Sign in with Microsoft" flow, you're essentially initiating an OpenID Connect (OIDC) authentication process. This flow involves creating a trust relationship between your application and Microsoft Entra ID, which results in the automatic registration of an Enterprise Application in your tenant.

To complete the process, the value of preferred_username field from ID token is required. To receive the preferred_username field in the ID token, your app must request the following scopes during the authentication flow:

openid: This is the foundational scope for any OIDC flow. It tells the identity provider (Microsoft Entra ID) that you want an ID token issued.
profile: This scope grants access to basic user profile information—like name, family name, and yes, preferred_username.
email: While not strictly required for preferred_username, this scope ensures you get the user's email if it's available, which is often used as the preferred_username value.