Skip to main content
SSO is available on the Penbox Enterprise plan only. If you would like to enable it, contact your Penbox representative.

Overview

Single Sign-On lets your users connect to Penbox with their existing company identity. Once enabled, your team signs in through your identity provider, and you keep control of access from your own side. Select your identity provider below and follow the setup steps. More methods are coming soon.
Microsoft Entra ID (formerly Azure AD) lets your users sign in to Penbox with their company Microsoft account. An administrator of your Microsoft tenant creates an application registration and shares the resulting credentials with Penbox.
You need a Global Administrator of your Microsoft Entra tenant to complete these steps.

Step 1: Register the application in Microsoft Entra

1

Create the app registration

In the Microsoft Entra admin center, go to App registrations then New registration. Name it Penbox SSO (or a name of your choice).
2

Set the account type

Under supported account types, select Accounts in this organizational directory only (Single tenant).
3

Set the Redirect URI

Choose type Web and enter this value exactly, with no trailing slash:
https://penbox.eu.auth0.com/login/callback
This value must match exactly. A mismatch is the most common cause of sign-in failure (Microsoft error AADSTS50011).
4

Register and note the IDs

Click Register. From the Overview screen, note the Application (client) ID and the Directory (tenant) ID.
5

Create a client secret

Go to Certificates and secrets then New client secret. Copy the secret Value immediately (not the Secret ID, they are different) and note its expiry date.
6

Grant API permissions

Go to API permissions, add the Microsoft Graph delegated permissions openid, profile, and email, then click Grant admin consent.

Step 2: Share the credentials with Penbox

Send the following four items to Penbox through the secure link Penbox provided to you. Do not send these by email or chat.
  • Application (client) ID
  • Client secret (the Value)
  • Tenant primary domain (for example yourcompany.onmicrosoft.com or your verified domain)
  • Directory (tenant) ID
Always use the secure link Penbox shared with you to transmit the client secret. Never share it over email, Slack, or any other channel.

After setup

Once Penbox receives and configures your credentials, your users will sign in to Penbox with their Microsoft account. Standard logins are disabled for your workspace, so Microsoft becomes the only way in.
The client secret has an expiry date. Let Penbox know that date so renewal can be planned ahead of time and sign-in is never interrupted.