Azure AD Setup

Note: This help topic describes new single sign-on (SSO) setup options for Azure AD. To enhance security and stability, Blackbaud has switched to a new SSO authentication service. Organizations that already use SSO will now see a New single sign-on tab on the Authentication settings page in Security and must set up new SSO connections by Oct. 31.

Microsoft Azure Active Directory (AD) is a multi-tenant, cloud-based identity management system. To set up an SSO connection that uses an Azure AD to enable users to sign in to Blackbaud solutions through an identity provider (IdP), an organization admin (or another user with the necessary admin rights) must claim the organization's email domains, configure the primary domain, test the connection, and then turn on Azure AD.

To prevent inadvertent lockouts, make sure to:

  • Complete the setup during a maintenance window for your organization's network.

  • Create a Blackbaud ID outside of your claimed domains with access to the Authentication settings page in Security.

Warning: If the Azure AD/Entra ID email property for a user doesn't match the user's Blackbaud ID email address, then that user can't access Blackbaud solutions. If your organization needs to rely on user primary names (UPN) for other integrated systems outside of Blackbaud ID, don't use Azure AD for SSO. Instead, use OpenID Connect and manually map the UPN field to return to Blackbaud ID. For more information, see OpenID Connect (OIDC) Setup.

Tip: If you are migrating an existing Azure AD SSO connection, we already pulled over any domains you previously claimed from your existing connection. To complete the process, all you have to do is test the SSO connection to verify that your organization can use your IdP to sign in to Blackbaud solutions.

  1. In Security, select Authentication.

  2. Under New single sign-on (SSO) on the New single sign-on tab of the Authentication settings page, select Manage SSO settings.

  3. On the Single sign-on page, select Azure AD.

  4. Under Test connection, select Learn about testing SSO and then copy the URL under Blackbaud ID redirect to test your connection in a private or incognito browser. At least one user must successfully sign in using test mode before you can enable your SSO connection. For more information, see Test Mode.

    Warning: Azure AD admins must verify that the Blackbaud ID email addresses for users match the email addresses on their Azure AD user records. If not, new users will be created and users could potentially lose access.

    Note: If a consent screen appears in test mode, then that means your IdP is configured to require admin approval before users authenticate. This consent screen is for the Blackbaud SSO application and is not requesting new permissions or access. It is seeking read-access to the user information that you already configured as part of your SSO setup. To proceed, follow the instructions on your IdP's consent screen.

To complete the connection to your IdP, select Turn on SSO under Turn on. Then on the Connect your Azure AD SSO screen, select Connect with Azure AD.

With SSO through Azure AD, users who sign in to their Blackbaud ID with one of your claimed domains are redirected to your IdP. After they authenticate through your IdP, their Blackbaud IDs:

  • Automatically redirect them to your organization's login for future sign-ins.

    After users sign in through your organization's login, they are redirected to their Blackbaud ID profile unless you edit the redirect to specify a different Blackbaud solution. For more information, see Redirect Settings.

  • Use your IdP for password updates, lockouts, and other authentication management.

Note: After you enable SSO, resend any pending invitations.

For detailed guidance on the steps that are necessary when setting up an SSO connection that doesn't inherit previously claimed domains or configuration settings, see the following instructions.

When migrating an existing SSO connection, you don't need to claim your email domains because the new connection inherits the existing settings.

  1. In Security, select Authentication.

  2. Under New single sign-on (SSO) on the Authentication settings page, select Manage SSO settings.

    If you are migrating an existing SSO connection, this option appears on the New single sign-on tab. Before you migrate, you can mange your existing connection on the Active single sign-on tab. After you migrate, the tabs no longer appear and you can no longer manage the old connection.

  3. On the Single sign-on page, select Azure AD.

  4. Under Claim your email domains, select Claim domains or Edit claimed domains and identify the email domains that your organization uses. This allows you to recognize and redirect users to your IdP when they sign in. For instructions, see Claimed Email Domains.

When migrating an existing SSO connection, you don't need to configure your primary domain because the new connection inherits the existing settings.

  1. Under Configure your connection on the Authentication settings page, select Get started or Edit connection.

  2. On the Configure Azure AD application screen, enter your organization's primary Azure AD domain from the Azure AD portal.

    To view your domains in the Azure AD portal, select Azure Active Directory, Custom domain names.

    Warning: If you don't claim your primary domain, then users with that domain in their email addresses can't sign in.

  3. Select Finish.

When you save your configuration settings, test mode is turned on automatically. At least one user must successfully sign in using test mode before you can enable your SSO connection.

To verify that your organization can use your IdP to sign in to Blackbaud solutions, select Learn about testing SSO under Test connection. Copy the URL under Blackbaud ID redirect and then test your connection in a private or incognito browser. For more information, see Test Mode.

Warning: Azure AD admins must verify that the Blackbaud ID email addresses for users match the email addresses on their Azure AD user records. If not, new users will be created and users could potentially lose access.

Note: If a consent screen appears in test mode, then that means your IdP is configured to require admin approval before users authenticate. This consent screen is for the Blackbaud SSO application and is not requesting new permissions or access. It is seeking read-access to the user information that you already configured as part of your SSO setup. To proceed, follow the instructions on your IdP's consent screen.

To complete the connection to your IdP, select Turn on SSO under Turn on. Then on the Connect your Azure AD SSO screen, select Connect with Azure AD.

With SSO through Azure AD, users who sign in to their Blackbaud ID with one of your claimed domains are redirected to your IdP. After they authenticate through your IdP, their Blackbaud IDs:

  • Automatically redirect them to your organization's login for future sign-ins.

    After users sign in through your organization's login, they are redirected to their Blackbaud ID profile unless you edit the redirect to specify a different Blackbaud solution. For more information, see Redirect Settings.

  • Use your IdP for password updates, lockouts, and other authentication management.

Note: After you enable SSO, resend any pending invitations.

After you save your SSO configuration settings and turn off test mode, an Erase all single sign-on settings option appears after the SSO configuration steps. This option allows you to clear your configuration settings and start over. For example, you can select Erase all single sign-on settings if you need to select a different connection method or start over after you troubleshoot an issue. The option is only available after you save your configuration settings in step 2 and turn off test mode in step 3. When you turn on SSO, the option is no longer available, but you can turn off SSO to make it available again. For more information, see Single Sign-on Setup