Skip to content

Azure Active Directory

Azure Active Directory (Azure AD) is Microsoft’s cloud-based identity and access management service, which helps your employees sign in and access resources. You can use Azure AD to control access to your apps and your app resources, based on your business requirements.


Upon setup, you will be asked to provide a sign-on URL and an Assertion Consumer Service (ACS) URL.

Requirement Details
Sign-On URL https://<SUBDOMAIN>

For the subdomain, use the coordinating subdomain listed in your Braze instance URL. For example, if your instance is US-01, your URL is This means that your subdomain will be dashboard-01.
Assertion Consumer Service (ACS) URL https://<SUBDOMAIN>
For some identity providers, this can also be referred to as the Reply URL, Audience URL, or Audience URI.
Entity ID braze_dashboard
RelayState API key To enable identity provider login, go to Settings > API Keys and create an API key with sso.saml.login permissions.

Service Provider (SP) initiated login within Azure AD

  1. Go to the Azure Portal and click Azure Active Directory in the left navigation panel.
  2. Go to Enterprise Applications, then select All applications.

    Azure portal selecting all enterprise applications.
  1. Add a new application by clicking + New application in the top of the dialog.
  2. Search for Braze in the search box, select it from the result panel, then click Add.

Step 2: Configure Azure AD single sign-on

  1. In your Azure Portal, go to the Braze Application Integration page and select Single sign-on.
  2. Select SAML/WS-Fed as your method from the Select a single sign-on method dialog to open the Set up Single Sign-On with SAML page.

    Azure portal select a single sign-on method dialog.
  1. Click the edit icon to open the Basic SAML Configuration dialog.

    Azure portal editing basic SAML configuration.
  1. Configure the application in IdP-initiated mode by entering a URL that combines your Braze instance with the following pattern: https://<SUBDOMAIN>

    Azure portal editing basic SAML configuration.
  1. Configure RelayState by inputting your RelayState generated API key in the RelayState box.

  1. If you want to configure the application in SP-initiated mode, click Set additional URLs and enter a URL that combines your Braze instance with the following pattern: https://<SUBDOMAIN>

    Azure portal setting additional sign on URLs.
  1. Format SAML assertions in the specific format expected by Braze. Refer to the following tabs on user attributes and user claims to understand how these attributes and values must be formatted.

You can manage the values of these attributes from the User Attributes section on the Application Integration page.

Use the following attribute pairings:

  • givenname = user.givenname
  • surname= user.surname
  • emailaddress = user.mail
  • name = user.userprincipalname
  • email = user.userprincipalname
  • first_name = user.givenname
  • last_name = user.surname
  • Unique User Identifier = user.userprincipalname

On the Set up Single Sign-On with SAML page, click Edit to open the User Attributes dialog. Then, edit the claims according to the proper format.

User Attributes dialog in Azure.

Use the following claim name pairings:

  • claims/givenname = user.givenname
  • claims/surname = user.surname
  • claims/emailaddress = user.userprincipalname
  • claims/name = user.userprincipalname
  • claims/nameidentifier = user.userprincipalname

You can manage these user claims and values from the Manage user claims dialog:

Manage claim dialog in Azure

  1. Go to the Set up Single Sign-On with SAML page, then scroll to the SAML Signing Certificate section and download the appropriate Certificate (Base64) based on your requirements.

    Azure download SAML signing certificate.
  1. Go to the Set up Braze section and copy the appropriate URLs for use in the Braze configuration.

    Azure URLs for configuration.

Step 3: Configure Azure AD within Braze

Once you have set up Braze within your Azure AD, they will provide a target URL (login URL) and x.509 certificate which you will input into your Braze account.

After your account manager has enabled SAML SSO for your account, do the following:

  1. Go to Settings > Admin Settings > Security Settings and toggle the SAML SSO section to ON.
  1. On the same page, add the following:
Requirement Details
SAML Name This will appear as the button text on the login screen. This is typically your identity provider’s name, like “Azure AD.”
Target URL This is the login URL provided by Azure AD.
Certificate The x.509 PEM encoded certificate is provided by your identity provider.

Opening Security Settings and adding SAML SSO details.

New Stuff!