Add Microsoft Azure AD Premium as a single sign-on provider

  • Sso > Provider > Add, Delete, Edit, View permissions
  • Admin role in your organization’s Azure AD Premium account
  • User email addresses are the same in both Azure AD Premium and PureCloud
  • Any Microsoft Azure AD Premium version that supports SAML 2.0. There may be some differences in the configuration, depending on the version.

Add PureCloud as an application that organization members can access with the credentials to their Microsoft Azure AD Premium account.

  • PureCloud does not support assertion encryption for single sign-on third-party identity providers. The PureCloud log in service requires Transport Layer Security (TLS). Since the channel is encrypted, there is no need to encrypt parts of the message.
  • Administrators can optionally disable the default PureCloud login and enforce authentication using an SSO provider only. For more information, see Configure PureCloud to authenticate with SSO only.

Configure Microsoft Azure AD Premium

Create a custom PureCloud application

  1. Click Azure Active Directory > Enterprise Applications.
  2. Click New Application.
  3. In Add an application, click Non-gallery application.
  4. In the Name field, type “PureCloud”.
  5. Click Single sign-on.
  6. Click SAML.
  7. In Basic SAML Configuration, click Edit and type the appropriate PureCloud SAML login URL in both the Identifier (EntityID) and Reply URL fields. The Identifier (EntityID) can be any value unique to the Azure instance. The Reply URL is based on the AWS region where your PureCloud organization was created.
    AWS Region


    US East (N. Virginia)

    US West (Oregon)

    EU (Ireland)

    EU (Frankfurt)

    Asia Pacific (Sydney)

    Asia Pacific (Tokyo)

  8. In User Attributes & Claims, click Edit and type these attribute names. Note: Both attributes are case-sensitive. Type them as they appear in the table. To add a custom claim, type the custom attribute name in the Source attribute field above the drop-down list. 
    Attribute name Attribute value
    email  user.userprincipalname
    OrganizationName  Your PureCloud organization short name
  9. In SAML Signing Certificate, click Certificate (Base 64) to download it.
  10. Following the download, open the certificate file to do the following:
    1. If the -----BEGIN CERTIFICATE------ and ------END CERTIFICATE----- lines exist in the certificate file, delete them.
    2. Save the certificate file.
  11. In the Single sign-on detail view, click View step-by-step instructions.
  12. Note the SAML Single Sign-on Service URL and SAML Entity ID in the instructions. You will use them to configure the Target URI and Issuer URI in PureCloud.
  13. In the Application properties view, click Properties.
  14. Note the Relying Party Identifier Application ID. You will use it to configure the Relying Party Identifier in PureCloud.

Assign users and groups to the PureCloud application

Assign the users and groups that will log in to PureCloud using Azure AD Premium as the identity provider.

  1. In the PureCloud custom application, click Users and groups.
  2. Click Add user.
  3. Click the appropriate users and groups.
  4. Click Assign.

Configure PureCloud

  1. In PureCloud, click Admin.
  2. Under Integrations, click Single Sign-on.
  3. Click the ADFS/Azure AD (Premium) tab.
  4. Type the identity provider metadata gathered from Azure AD.

    In this field… Do this…

    1. Click Browse.
    2. Select the certificate you saved and click Open.

    Issuer URI Type the SAML Entity ID from the Azure AD PureCloud custom application.
    Target URI Type the SAML Single Sign-on Service URL from the Azure AD PureCloud custom application.
    Relying Party Identifier Type the Relying Party Identifier Application ID from the Azure AD PureCloud custom application.
  5. Click Save.

Test the Azure AD PureCloud custom application

In the Single sign-on detail view in Microsoft Azure AD, click Test this application.