Set up single sign-on (SSO) using Entra ID

1. In Security, select Authentication.

2. Under New single sign-on (SSO) on the Authentication settings page, select Manage SSO settings.

3. On the Single sign-on page, select Microsoft Entra ID.

4. Under Claim your email domains, select Claim domains or Edit claimed domains and identify the email domains that your organization uses. This allows you to recognize and redirect users to your IdP when they sign in through your claimed email domains.

1. Under Configure your connection on the Authentication settings page, select Get started or Edit connection.

2. In a different browser tab, sign in to your Entra ID portal.

3. Return to Blackbaud's Configure Microsoft Entra ID application screen and enter your organization's primary Entra ID domain from the Entra ID portal.

   To view your domains in the Entra ID portal, select Microsoft Entra ID, Custom domain names.

   Warning: If you don't claim your primary domain, then users with that domain in their email addresses can't sign in.

4. Under Where do you map email addresses in your Entra ID domain?, specify where you store user email addresses. In most cases, keep the default Email selection. Only change this if you confirm that your Entra ID setup maps email addresses to the User Principal Name.

5. Select Save.

When you save your configuration settings, test mode is turned on automatically. At least one user must successfully sign in using test mode before you can enable your SSO connection.

To verify that your organization can use your IdP to sign in to Blackbaud solutions, select Learn about testing SSO under Test connection. Then copy the URL under Blackbaud ID redirect and test your connection in a private or incognito browser window.

Warning: Entra ID admins must verify that the Blackbaud ID email addresses for users match the email addresses on their Entra ID user records. If not, new users will be created and users could potentially lose access.

Note: If a consent screen appears in test mode, that means your IdP is configured to require admin approval before users authenticate. This consent screen is for the Blackbaud SSO application and is not requesting new permissions or access. It is seeking read-access to the user information that you already configured as part of your SSO setup. To proceed, follow the instructions on your IdP's consent screen.

When you turn off test mode, an Erase all single sign-on settings option appears under Configure your connection so that you can clear your configuration settings and start over. For example, you can select the option if you decide to use a different connection method or if you need to troubleshoot an issue and start over. The option is no longer available when you turn on SSO, but you can turn off SSO to make it available again.

To complete the connection to your IdP, select Turn on SSO under Turn on on the Authentication settings page. Then on the Connect your Microsoft Entra ID SSO screen, select Connect with Microsoft Entra ID.

After you turn on SSO, users are redirected to your IdP when they sign in to their Blackbaud IDs with one of your claimed domains. After they authenticate through your IdP, their Blackbaud IDs:

• Automatically redirect them to your organization's login for future sign-ins.

  After users sign in through your organization's login, they are redirected to their Blackbaud profiles unless you edit the redirect URL to specify a Blackbaud solution.

  Tip: Don't forget that if your users use an app in your IdP's portal to connect to Blackbaud solutions, you must configure that app to use the redirect URL for your live connection.

• Use your IdP for password updates, lockouts, and other authentication management.

Note: After you enable SSO, resend any pending invitations.