What adding Microsoft SSO involves
Adding Microsoft Single Sign-On (SSO) means registering an application in Microsoft Entra ID (formerly Azure AD), setting a redirect URI, running the OpenID Connect flow, and choosing a tenant scope: a single organization, any work or school account, or personal accounts too. The Bridge turns that into a toggle plus a client ID and secret.
Microsoft sign-in runs on Entra ID using OpenID Connect (OIDC), the same standards-based flow as other modern providers. Your app redirects to Microsoft, the user signs in with the work account they already use, and Microsoft returns a signed ID token your server verifies.
The decision that makes Microsoft different is tenant scope. You choose whether to accept one specific organization, any Microsoft work or school account, or personal accounts as well. That choice shapes who can sign in and how you validate the token's issuer.
For how this fits with sessions and roles, see the SaaS authentication guide. With The Bridge, Microsoft SSO is a toggle on the hosted login box: register the app in Entra ID, paste the client ID and secret, pick the tenant scope, and the rest is handled.
