Setting Up Azure Entra Single Sign-On (SSO) for Your WeGive Dashboard

Last updated: May 21, 2026

This guide walks Microsoft Entra (formerly Azure AD) administrators through configuring single sign-on for their organization's WeGive dashboard users.

Overview

WeGive uses the modern OpenID Connect (OIDC) / OAuth 2.0 approach to single sign-on. We do not use the older SAML-based SSO approach, so if your IT team is familiar with SAML setups, expect a slightly different (and simpler) configuration flow.

Once SSO is enabled, your dashboard users will authenticate against your Entra tenant instead of using a separate WeGive password.

What WeGive's SSO does and doesn't do

  • Authentication only. WeGive uses Entra to verify who a user is, not to determine what they can do.

  • No role mapping from group claims. Roles and permissions continue to be managed inside WeGive. We don't read the groups claim from your tokens.

  • Partial just-in-time (JIT) provisioning. On first SSO login, WeGive will create a user record from the token — but they won't automatically receive a role on your organization. The recommended flow is to invite the user from WeGive first (with the role you want them to have), then have them sign in via SSO to accept the invite.

Before You Start

You'll need:

  • An admin account in your Microsoft Entra tenant

  • The email domain you want to use for SSO (e.g., yourcompany.com)

  • A WeGive account contact to coordinate with — SSO requires a configuration step on our end

Step 1: Register WeGive as an Application in Entra

In the Entra admin center, register a new application for WeGive with the following settings:

  • Redirect URI: https://api.wegive.com/api/auth/azure/callback

  • Response type: id_token

  • Response mode: form_post

  • Scopes: openid, profile, email

Step 2: Grant Admin Consent

This step is easy to miss but required — without admin consent, sign-in attempts will fail.

  1. Go to the Microsoft Entra admin center at entra.microsoft.com and sign in.

  2. Select Identity, then Applications, then Enterprise apps.

  3. Search for and select the WeGive application.

  4. Under Manage, select API permissions.

  5. At the top of the API permissions page, click "Grant admin consent for [organization name]".

  6. When prompted, confirm by clicking Grant.

Step 3: Send the Following Information to WeGive

Once your application is registered and admin consent is granted, securely send the following four values to your WeGive contact:

  • tenant_id

  • client_id

  • client_secret

  • domain (the email domain your users will sign in with, e.g., yourcompany.com)

We'll use these to create the integration record on our side and activate SSO for your organization.

Security note: Please share these values through a secure channel — not in a plain email. Coordinate with your WeGive contact on the best method.

Step 4: Test the Configuration

Once WeGive confirms the configuration is live, test SSO end-to-end with a single user before rolling it out broadly.

To verify SSO is working:

  1. Log out of the WeGive dashboard.

  2. Go to the dashboard sign-in page and enter your email address.

  3. When you tab from the email field to the password field, the Microsoft SSO authentication process should be triggered automatically.

  4. Complete the Microsoft sign-in flow.

  5. You should land back in the WeGive dashboard, signed in.

If the Microsoft flow doesn't trigger when you tab away from the email field, double-check that admin consent has been granted (Step 2) and that the email domain on your account matches the domain value sent to WeGive.

Adding Users After SSO Is Live

Because WeGive uses partial JIT provisioning, here's the recommended order of operations for adding a new dashboard user:

  1. Create the user in Entra (or confirm they already exist in your tenant).

  2. Invite the user from WeGive with the appropriate role.

  3. The user signs in via SSO to accept the invite. The role will already be in place when they land in the dashboard.

If you invite from WeGive without the user existing in Entra, they won't be able to complete sign-in.

Frequently Asked Questions

Does WeGive support SAML SSO? No. WeGive uses OIDC / OAuth 2.0 only.

Can roles be assigned based on Entra group membership? Not today. WeGive does not read the groups claim. Roles are assigned inside WeGive and remain there.

Can users be auto-provisioned with a role on first login? Not fully — a user record is created on first login, but without a role on your organization. Invite the user from WeGive first so the role is assigned the moment they sign in.

What happens during the cutover when SSO is first enabled? The dashboard may be briefly unavailable to your admins while we activate the configuration. We recommend coordinating a window with your team for the activation.