Entra ID (Azure AD)

Last Updated: May 15, 2026

An identity provider (IdP) uses an authentication token to vouch for a person's identity. Vasion Automate uses IdPs for several tasks, including logging in to the Admin Console and portals, deploying printers, releasing print jobs, and more.

If you use an IdP, the Control Panel Application (CPA) supports only badge and PIN authentication.

Key Points

Review the following key point:

  • The default values in the Entra ID 2. Attributes & Claims section should not be adjusted. Changing these will cause issues with user authentication.

  • If you use Azure Government, including Government Community Cloud (GCC) High, you cannot use the PrinterLogic Entra ID gallery application. Instead, configure a custom enterprise application. For more details refer to How to set up Entra(Azure) as a Custom App.

Configure Connection

To add and configure enterprise app properties for the Vasion Print connection, do the following:

  1. Create the Entra ID (Azure AD) App.
  2. Add the IdP Settings Template.
  3. Configure Single Sign-On (SSO).
  4. Add the X-509 Certificate.
  5. Complete IdP Settings.
  6. Configure Provisioning.
  7. Add Vasion Print Admins.

1. Create the Entra ID (Azure AD) App

  1. In your preferred browser, go to the Microsoft Entra admin center at https://entra.microsoft.com/#home, and log in.

  2. From the left-side navigation, expand Entra ID, and select the Enterprise apps option.

    Microsoft Entra admin center showing expanded Entra ID side navigation and "Enterprise apps" option.

  3. Select + New application.

    Microsoft Entra admin center showing "Enterprise applications" tab and "+ New application" button.

  4. Search for PrinterLogic, and select the app from the results.
  5. Give your app a unique name, and select Create.

2. Add the IdP Settings Template

If the IdP Settings modal does not look like the image below, you may not be using the latest version and should contact Product Support to upgrade your IdP settings.

  1. Open your Vasion Print Admin Console in a new browser tab, and log in.
  2. Select Tools then Settings then General, and scroll down to the Identity Provider Settings section.
  3. Select IdP, and then select Add.
  4. Select the IdP that you want to configure from the IdP Template dropdown menu.
  5. Select SAML2 in the Authentication Protocol section.

  6. In the Provisioning section, if you are using Systems for Cross-domain Identity Management (SCIM), leave the JIT option deselected.

    By default, the Admin Console assumes that you are using SCIM for provisioning. Only select JIT if you are not using SCIM.

  7. In the Name field, enter the name that you want to appear on the login button for users. For example, My Company, Login, or Acme Corp.
  8. Scroll down, and select the desired settings:
    • Enable for End User Login: Allows end users to log in using this IdP. (Self-service Portal)
    • Enable for Admin Login: Allows admins to log in using this IdP. (Admin Console)
    • You can select both checkboxes when you are using a single IdP or the admin and end users use the same IdP to log in.

Keep the IdP Settings modal open so that the Service Provider Information section at the bottom is available for the following steps.

IdP Settings showing multiple fields and Service Provider Information section.

3. Configure Single Sign-On (SSO)

  1. Go to the Entra ID (Azure AD) app you created.
  2. On the Overview tab, select Get started in the 2. Set up single sign on section.
  3. In the Select a single sign-on method section, select SAML.
  4. In the Set up Single Sign-On with SAML section, select Edit in the 1 Basic SAML Configuration section.
  5. On the Basic SAML Configuration page, complete the following steps:
    1. Select Add identifier in the Identifier (Entity ID) section. Then copy the Vasion Admin Console Identifier (Entity ID) URL, and paste it in the Entra ID (Azure AD) Identifier (Entity ID) field.
    2. Select Add reply URL in the Reply URL (Assertion Consumer Service URL) section. Then copy the Admin Console Reply Url (ACS) URL, and paste it in the Entra ID (Azure AD) Reply URL (Assertion Consumer Service URL) field.
    3. Copy the Admin Console Relay State URL, and paste it in the Entra ID (Azure AD) Relay State (Optional) field.
  6. Select Save at the top, and then select the Close button.
  7. Scroll down to 4. Set up <App Name>, and copy the Login URL.
  8. In the Vasion Admin Console, paste the Login URL in the SSO URL field.
  9. Press Tab on the Admin Console to autopopulate the Issuer URL and Issuer ID fields.
  10. Do the following if the fields do not autopopulate:
    1. On the Single sign-on tab in the Entra ID (Azure AD) app, scroll down to the 4. Set Up <App Name> section.
    2. Copy the Microsoft Entra Identifier, and paste it in the Admin Console Issuer URL field.
    3. In the Issuer URL field, cut the alphanumeric portion after the slash (/), and paste it in the Admin Console Issuer ID field.
      1. Issuer URL example: https://abc1234.my.idaptive.app/.
      2. Issuer ID example: a1b2cd34-fb1f-4f71-9248-8675309d/.

Microsoft Entra admin center showing Basic SAML Configuration page and service provider information values pasted in related fields.

The default values in the Entra ID 2. Attributes & Claims section should not be adjusted. Changing these will cause issues with user authentication.

4. Add the X-509 Certificate

  1. Return to the Entra ID (Azure AD) app, scroll to the 3 SAML Signing Certificate section, and select the Download link for Certificate (Base64).
  2. Open the file in your preferred text editor.

  3. Copy the certificate body, including the Begin / End headers, and paste it in the X-509 Certificate field in the Vasion Print Admin Console.

    Security Assertion Markup Language (SAML) certificate in Notepad showing body of content selected, including beginning and ending certificate lines.

  4. Select Apply in the Admin Console.
  5. Select Save in the upper-right corner of the General settings.

The Admin Group Name field stays blank.

IdP Settings showing X-509 Certificate and other fields configured.

5. Complete IdP Settings

  1. In the General settings of the Vasion Print Admin Console, navigate to the Identity Provider Settings section.

  2. To have Vasion Print prompt users to authenticate through the IdP when performing any function that requires authorization, such as installing a printer, select the Automatically Open Browser to Login on Desktop Client option.

    If you do not select this option, users must manually navigate to the IdP login screen to log in.

  3. We recommend enabling the Use Loopback with Saml 2.0 (recommended) option. The IdP needs to provide an authentication token to the desktop Client whenever authentication happens. This option allows the Client to handle the token and automatically log in without interaction from end users.

    General settings showing Identity Provider Settings section with IdP option and other options selected.

  4. The option Use Domain User (Windows only) automatically authorizes domain-joined Windows users and does not require log in via the configured IdPs.
  5. Select Save in the upper-right corner of the General settings.

6. Configure Provisioning

The provisioning steps vary depending on whether you are using Systems for Cross-domain Identity Management (SCIM) or Just-in-Time (JIT) provisioning. Choose the appropriate option below to view the corresponding steps.

SCIM Provisioning

Enable SCIM Provisioning

  1. In the Entra ID (Azure AD) portal, select the Enterprise apps option from the left-side menu.

    Entra ID (Azure AD) portal showing expanded Entra ID menu and "Enterprise apps" option.

  2. Search for and select your app.
  3. In the Entra ID (Azure AD) app, select Provisioning from the Manage menu on the left.
  4. Do one of the following steps:
    • Select the + New configuration at the top.

    • On the Get started tab, select Connect your application in the Create configuration section.

      Entra ID (Azure AD) app showing "Get started" tab.

  5. In the Vasion Print Admin Console, select IdP and then select Modify.

  6. Copy the SCIM Tenant URL from the Service Provider Information section, and paste it in the Entra ID (Azure AD) Tenant URL field.

  7. Close the Admin Console IdP Settings modal.

Entra ID (Azure AD) app showing "New provisioning configuration" modal and Tenant URL field.

Generate & Apply a SCIM Token

  1. In the Vasion Print General settings, select the SCIM option in the Identity Provider Settings section.
  2. Select your IdP configuration from the dropdown menu.

  3. Select Generate SCIM Token.

    Identity Provider Settings section showing SCIM option with IdP selected from dropdown menu and Generate SCIM Token button to right.

    Generating a SCIM token invalidates any previous tokens for that IdP.

  4. Copy the token, close the modal, and select Save in the upper-right corner of the General settings.
  5. In the New provisioning configuration screen in the Entra ID (Azure AD) app, paste the SCIM token in the Secret Token field.
  6. Select Test Connection.
  7. Select Create in the lower-left corner.
  8. Select Provisioning from the left-side menu.

  9. Turn Provisioning Status to On, and then select Save.

    Entra ID (Azure AD) app showing Provisioning tab and Provisioning Status is On.

The initial provisioning can take up to 45 minutes to automatically provision after you make changes. Select the Start Provisioning option on the Entra ID (Azure AD) Provisioning tab to start the process sooner.

Add Users & Groups

  1. Navigate to the Overview (Preview) screen in the Entra ID (Azure AD) app.
  2. From the left-side menu, select Manage and then Users and groups.
  3. Select + Add user/group.
  4. In the Users and groups section of the Add Assignments screen, select None Selected.
  5. Add the users and groups that you want to provision.
  6. For users or groups accessing the Admin Console, in the Select a role section, select the None Selected and the PrinterLogic Administrator options. Assign the Users role for end users.
  7. Select the Select button.
  8. Select Assign.

Entra ID (Azure AD) app showing Add Assignment screen and "Users and groups" section.

Nested groups, which are subgroups within another group, are not supported and do not provision over. You need to adjust any nested groups that you want to provision.

JIT Provisioning

JIT does not support the provisioning of group membership associations, so you cannot apply Role-Based Access Control (RBAC) roles, printer deployments, or portal security roles to groups. You must create assignments individually for each user.

When using JIT provisioning, the app creates users during the first login attempt:

  1. Access your Vasion instance, and select Sign In With <IdP Name>.
  2. Attempt to log in with your IdP credentials.

  3. This login attempt fails and returns you to the login screen.

    This behavior is expected. With JIT, this action triggers user creation in the Vasion instance.

  4. The second login attempt with valid credentials initiates a typical login sequence.

For admins who need access to the Admin Console, you still need to add them to the Users page located in Tools then Users.

7. Add Vasion Print Admins

For steps on assigning users and roles to the Vasion Print and Vasion Automate Admin Console, refer to Admin Console Users.