If you want to make sure a specific portal is locked and only accessible to employees or certain groups within your company, we recommend you look at using SSO authentications for your portal.
When you enable Azure SSO for your Portal, you can restrict access to only members of a specific Azure Active Directory (Entra ID) security group. This allows you to control exactly who can view and interact with your Portal, even if they have valid Azure credentials in your organization.
When should I use this?
You want to limit Portal access to specific departments (e.g., only HR team members)
You need to restrict sensitive Portal content to authorized employees only
You want centralized access management through Azure AD groups
You want to ensure even Azure administrators cannot access the Portal unless explicitly authorized
You want all employees in your organization with Azure AD accounts to access the Portal
You're using the Portal for company-wide communications or forms
You prefer to manage access through other means (e.g., password protection)
Prerequisites
Before you begin, ensure you have:
✅ Azure AD Administrator Access - You need permissions to:
Create and manage groups in Azure Active Directory
Configure App Registrations
Modify token configuration
✅ Journeys permission to manage security settings on the Portal you want to have the SSO secure login.
Configure Azure Active Directory
Step 1: Enable Group Claims in Your Azure App
This tells Azure to include group membership information in authentication tokens.
1. Go to https://portal.azure.com
2. Navigate to Azure Active Directory → App registrations
3. Find and click on your Portal's application
4. In the overview, note down the Application (client) ID & the Directory (tenant) ID, you will use this later.
5. In the left menu, click on Token configuration
5. Click on the "Add groups claim" button
In the side-panel that appears:
Check "Security groups"
Under "Customize token properties by type", check Group ID
Click 'Save'
Expected result: You should now see "Security groups" listed under "Groups claim"
Create an Azure AD Security Group
If you want to restrict access down to one single group, you can follow these instructions on how to create a new group and retrieve the ID of that which is then needed when configuring the portal in Journeys. This group will contain all users who should have access to your Portal.
1. In Azure Portal (portal.azure.com/#home, navigate to the Groups section
2. Click + New group
3. Configure the group:
Group type: Select Security
Group name: Enter a descriptive name (e.g., "HR Portal Access")
Group description: Optionally add a description
Membership type: Select Assigned (recommended)
Members: Click "No members selected" and add the users who should have Portal access
4. Click Create
5. After creation, find and click on your new group in the Groups list
6. ⚠️Important: Copy the Object ID of the group - you'll need this for the next part!
The Object ID is displayed to the right of the Group name (it looks like: 12345678-1234-1234-1234-123456789abc)
Configure the Portal authentication in Azure
After creating the group, you need to return to your Portal, created in the first phase (Configure Azure Active Directory).
Click on "Authentication"
Click on "Add a platform"
In the side-panel, click on "Single-page application"
In the Redirect URIs field, add the URL to the portal you are configuring e.g. https://portal.50skills.app/test/supervisors (you can find this URL on the portal in Journeys (same url as your employees will visit)
Now you should be all set regarding Azure! ⭐
Configure Your Portal in Journeys
If Azure is all good to go, it is time to apply the new access restrictions to the portal.
1. Log in to Journeys
2. Navigate to Settings → Portal → Portals
3. Select the Portal you want to add the SSO login option to
4. Click the Security tab
5. Select the "Azure (SSO) Login option
6. Fill in your Azure configuration saved from the earlier steps:
Azure Tenant ID: Your Azure AD tenant ID
Azure Client ID: Your application's client ID
⚠️Authorized Group ID: Paste the Object ID you copied from the earlier step when creating your group. This is important if you want to restrict the access down to a single group.
7. Click Save
You are now all configured and ready to go!
Managing Access
How to Grant / Remove Access for users.
1. In Azure Portal, navigate to Azure Active Directory → Groups
2. Find and open your Portal access group
3. Click Members in the left menu
4. Click + Add members
5. Search for and select the user(s) you want to add or remove
6. Click Select
When does the access take effect?
Immediately for new logins
If you are removing a user, that can take up to 24 hours for their access to be removed
Testing Your Configuration
After completing the setup, test to ensure it works as expected:
Test 1: Authorized User Can Access
1. Open your Portal URL in an incognito/private browser window
2. Click "Sign in"
3. Log in with Azure credentials of a user who IS in the authorized group
4. Expected result: ✅ User successfully accesses the Portal
Test 2: Unauthorized User Cannot Access
1. Open your Portal URL in an incognito/private browser window
2. Click "Sign in"
3. Log in with Azure credentials of a user who IS NOT in the authorized group
4. Expected result: ❌ User sees error message:
Security Notes
Who can access the Portal?
Only users who meet ALL of these conditions:
✅ Have an account in your Azure AD tenant
✅ Can authenticate with Azure (their account is active)
✅ Are members of the specified Azure AD group (specific group membership is proclaimed)
Even Azure AD Administrators must be in the group to access the Portal. Administrator status does not bypass this restriction.
Data Privacy & Common questions
What information is shared with Azure?
Only authentication requests (user identity verification)
Portal does not send Portal content or visitor data to Azure
What information comes from Azure?
User's email address
User's group memberships (as Object IDs, not group names)
Authentication status
Q: Can I use multiple groups?
A: Not currently. You can only specify one Group Object ID per Portal. If you need to authorize users from multiple departments, create an Azure AD group that includes members from all relevant departments, or add users from different departments to your existing group.
Q: Can I restrict access to guest users / external users?
A: Yes, if you add guest users to your authorized Azure AD group, they will have access. If they're not in the group, they won't.
Q: What happens if I delete the group in Azure?
A: No one will be able to access the Portal (everyone will get "not authorized"). You'll need to create a new group and update the Portal settings with the new Object ID.
Q: Can I see who has accessed my Portal?
A: Portal access logs are available in [Portal Analytics section - link to relevant article]. Azure sign-in logs show authentication attempts in Azure Portal → Sign-in logs.
Q: How often are group memberships checked?
A: Group membership is checked on every login. Once a user is logged in, their session remains valid until expiration (60 days by default).
Q: Can I use this with password protection?
A: No. You can only use one security method at a time per Portal: None, Password Protection, OR Azure SSO with optional group restriction. If you need multiple layers of security, use Azure SSO with a group restriction.
Q: Do I need Azure AD Premium to use this feature?
A: No. This feature works with the free Azure AD tier. Group membership checking is performed by the Portal system, so no premium Azure licensing is required.