Cloud Gateways Switching WiFi Camera Security Door Access Integrations Accessory Tech Identity
User
Sign Up UniFi Site Manager
Help Center Help Articles Professional Support Professional Integrators Community RMA & Warranty Downloads Tech Specs
User
Sign Up UniFi Site Manager
Help Center Help Articles Professional Phone Support Professional Integrators Community RMA & Warranty Downloads Tech Specs
Cloud Gateways Switching WiFi Camera Security Door Access Integrations Accessory Tech Identity

Social

Facebook Twitter Youtube Instagram

Company

Careers Contact Us Investors

Training

Courses Calendar Trainers Become a Trainer

Tools

WiFiman UISP Design Center
  1. Ubiquiti Help Center
  2. UniFi
  3. Organization Manager

Integrating Microsoft Entra with Identity Hub

UniFi Identity Hub allows you to centrally manage users by integrating with Microsoft Entra (formerly Azure AD) as your Identity Provider (IdP). This enables seamless SAML-based SSO access to services like VPN, WiFi, and Door Access through the Identity Endpoint App.

If you have not done so yet, start by Creating an Identity Hub for Your Organization.

Requirements

Core Requirements

Additional Features

  • Sync user groups from Entra into Identity Hub
    • Requires a Microsoft Entra ID P1 or P2 license
  • Send email-based invitations to onboard users to Identity Endpoint
    • Requires an Exchange Online plan, included in most Microsoft 365 licenses (e.g., Business Standard, E3, E5)

Create an Application for UniFi Identity Hub

  1. Sign in to the Microsoft Entra admin center with the role of at least a Cloud Application Administrator.
  2. Go to Azure services and click Enterprise applications.

  1. Click New application.
  2. Click Create your own application, enter the app name, select Integrate any other application you don't find in the gallery (Non-gallery), and click Create.

  1. Go to 2. Set up single sign on and click Get Started.

  1. Click SAML.

  1. Go to Basic SAML Configuration and click Edit.

  1. Paste the identifier and reply URL copied from your Identity Hub.
    1. Go to Identifier (Entity ID) and click Add identifier and paste the identifier copied from Identity Hub.
    2. Go to Reply URL (Assertion Consumer Service URL), click Add reply URL, and paste the reply URL copied from Identity Hub.
  2. Click Save and then close out the Basic SAML Configuration window.

  1. Go to SAML Certificates and Download the Federation Metadata XML.

  1. Go back to your Identity Hub and upload the Federation Metadata XML file obtained from Microsoft Entra. Click Next.
  2. Return to the Enterprise Application you created in Microsoft Azure, and then:
    1. Click Provisioning (within the Manage category).
    2. Click New Configuration.

  1. Paste the Tenant URL obtained from Identity Hub.
  2. Paste the Secret Token obtained from Identity Hub.
  3. Click Test Connection.

13. Once the connection is successful, go back to Identity Hub and click Next.

Assigning Users & Groups to SAML App

  1. Follow Microsoft’s help article to create and assign users to the Enterprise application.
  2. Once users are created and assigned to the application, navigate to the Enterprise Application you created in Microsoft Azure, and then:
    1. Click Provisioning (within the Manage category) > Overview.
    2. Click Start provisioning.

Note: Provisioning may take some time to complete. To expedite the process, we recommend referring to Microsoft's article on using the Provision on Demand feature. This allows you to manually trigger the synchronization of specific users and groups to Identity Hub, ensuring they are pushed immediately without waiting for the scheduled provisioning cycle.

  1. When users and groups are assigned, navigate back to Identity Enterprise and continue the steps here.

Next Step

Proceed with Step 6 in Creating an Identity Hub For Your Organization.

Was this article helpful?