User authentication settings

This feature is available to organizations on the Enterprise plan.

Organization Owners or Administrators can customize the login authentication settings for all users in their organization.

Authentication settings.

Require Single Sign-On (SSO)

Quick Tip

Once you require SSO, all organization members must sign up or log in with your selected SSO provider. We recommend checking your Users list to make sure that everyone has the right credentials first!

Require all users to join or sign in to your organization with their existing Google, Facebook or Microsoft account.

To require single sign-on for all user accounts:

  1. Click your organization’s name in the top left corner and select Settings.
  2. Click Authentication in the left-hand navigation or scroll to the Authentication section.
  3. Toggle on Require single sign-on for all users in your organization.
  4. Select an SSO provider (Google, Microsoft, or Facebook). You must be logged in with your selected provider before you can enable SSO.
  5. Select Save. If you want to change your SSO provider, you must turn off Require Single Sign-On and then repeat steps 3 and 4.
    Select an SSO provider.

Microsoft Entra SSO

Microsoft Entra ID.

Microsoft Entra ID (formerly Azure AD) is a cloud-based identity and access management solution. A Microsoft Entra tenant provides identity and access management (IAM) capabilities to applications and resources used by your organization.

You can control who has access to your Cognito Forms organization based on your Microsoft tenant. Once enabled, your users will be automatically signed-in to Cognito Forms with their Microsoft Entra accounts.

Managing users

Once you restrict users to your Microsoft tenant, all organization members must sign up or log in with an email address associated with your tenant. If your existing users have the right credentials, this process is seamless and they can continue to login with their Microsoft accounts as usual. However, if any existing users log in with an email that’s not associated with your tenant, they must update their email information before you enable Entra SSO.

If you enable Entra SSO and a user does not have the right credentials, you can simply turn it off and allow them to log in and update their email address. Please note that enabling Entra SSO does not affect user permissions for new or existing users.

How to enable Microsoft Entra SSO

To integrate Cognito Forms with Microsoft Entra ID:

  1. Follow steps 1-3 in the instructions above.

  2. Select Microsoft as your SSO provider and then select Restrict users to my Microsoft tenant.
    Enable Microsoft SSO.

  3. Sign in to the Microsoft Entra admin center as at least a Cloud Application Administrator.

  4. In the Overview section, select + Add > App registration. Enter a name and choose the account type that applies to your organization.

  5. Set the Redirect URI to Web and enter: https://www.cognitoforms.com/svc/auth/oidc

  6. Select Register.

  7. Go to Certificates & secrets and select + New client secret. Enter a name and a secret expiration period that fits your organization’s security policy.

  8. Copy your new client secret value. This value will not be visible again after you leave this page.

  9. Go back to the application overview page and copy the Application (client) ID and Directory (tenant) ID.

  10. In Cognito Forms, enter the Tenant ID, Client ID, and Client Secret values.

  11. Select Enable. You will be prompted to sign in with your credentials before the settings are enabled.

Require Two-Factor Authentication (2FA)

Quick Tip

Once you require two-factor authentication, all organization members will be prompted to set up 2FA as soon as they log in to your organization. We recommend giving your organization members a heads-up first!

To require two-factor authentication for all user accounts:

  1. Click your organization’s name in the top left and select Settings.
  2. Click Authentication in the left-hand navigation or scroll to the Authentication section.
  3. Toggle on Require two-factor authentication for all users in your organization.

Once enabled, any users who have not already set up 2FA for their account will be prompted to do so the next time they log in to your organization. In the Users section, you can view which users currently have 2FA enabled on their account.