Skip to main content

Connect CarePilot to Your Azure Active Directory

This guide explains how to set up single sign-on (SSO) between your organization’s Microsoft Azure Active Directory (Entra ID) and CarePilot.

Tanner Helton avatar
Written by Tanner Helton
Updated this week

1. Info you need from CarePilot

  • App name to use in Azure AD: CarePilot

  • Redirect URI (callback URL) to configure in your Azure AD app, typically:
    https://auth.carepilot.com/login/callback

  • List of required claims/scopes, usually:

    • openid

    • profile

    • email

2. What we need from you

Once you’ve created the app registration in Azure AD, we need:

  1. Directory (tenant) ID

  2. Application (client) ID

  3. Client secret value (a new secret created for CarePilot)

  4. Primary email domains for users who should sign in with SSO

    • Example: yourhealthsystem.org, clinicname.com

  5. Identity API Type

    1. Microsoft Identity Platform (V2)

Please send these values through a secure channel. Your CarePilot technical contact will provide a secure method to transfer this information.

3. High-level architecture

  • Your staff authenticate with your Azure AD.

  • Azure AD trusts your new “CarePilot” app registration.

  • CarePilot’s identity layer is configured with an Azure AD enterprise connection using your tenant’s details.

  • CarePilot acts as the single token issuer; we never see your users’ passwords.

4. Step-by-step: Configure Azure AD (Entra ID)

These steps are performed by your Azure AD / Entra admin.

Step 4.1 – Register the CarePilot application

  1. In the Azure portal / Entra admin center, go to:
    Azure Active Directory → App registrations → New registration.

  2. Configure:

    • Name: e.g., CarePilot

    • Supported account types:
      Usually: Accounts in this organizational directory only (Single tenant).

    • Redirect URI (Web):
      Use the redirect URI provided by CarePilot

  3. Click Register.

Step 4.2 – Collect the IDs

After the app is created:

  1. Under Overview, copy:

    • Application (client) ID

    • Directory (tenant) ID

  2. Save these; you’ll send them to CarePilot.

Step 4.3 – Create a client secret

  1. Go to Certificates & secrets → New client secret.

  2. Add a description (e.g., CarePilot SSO), choose an expiration policy, and click Add.

  3. Copy the secret value immediately and store it securely.

    • You will not be able to see it again later.

  4. Share this Client secret value with CarePilot via a secure channel.

Step 4.4 – Configure authentication settings

  1. In the app, go to Authentication:

    • Confirm the Redirect URI matches what CarePilot provided.

    • Ensure ID tokens (and optionally “Access tokens”) are enabled for the web application.

  2. If your policies require it, you can also configure:

    • Front-channel logout URL (CarePilot can provide one).

    • Any restrictions by platform or app type.

Step 4.5 – Configure API permissions (usually defaults are enough)

For basic SSO, the default OpenID Connect permissions are typically sufficient:

  • openid

  • profile

  • email (sometimes included via user.read / Microsoft Graph)

If you plan to use groups, roles, or extended attributes, your admin may need to:

  • Add Microsoft Graph permissions and grant admin consent, or

  • Configure optional claims and token configuration (for roles / groups).

8. Summary: Who does what

You (Azure AD / IT team):

  • Register the CarePilot app in Azure AD.

  • Configure Redirect URI, ID tokens, and permissions.

  • Generate and securely share Tenant ID, Client ID, Client Secret, and domains.

  • (Optional) Configure groups/roles and token claims.

CarePilot:

  • Configure and maintain the Azure AD enterprise connection.

  • Map Azure AD identities to CarePilot accounts and roles.

  • Provide URLs and support for testing and go-live.

  • Maintain the integration according to your security and compliance requirements.

Did this answer your question?