Tip:
This article only covers how to set up Microsoft Entra ID SSO using our native connection. However, you can still configure Microsoft Entra ID using OpenID Connect (OIDC) if it suits your needs. To do so, follow these instructions instead.
This article explains how to set up Microsoft Entra ID as your single sign-on (SSO) in Personio. Personio connects to Microsoft Entra ID using a native Microsoft connection, and no configuration via OpenID Connect (OIDC) is required.
With this authentication method:
- Your employees can log in to Personio using their Microsoft Entra ID accounts.
- You can choose a tenant model to suit your organization’s authentication needs.
- You can specify through the Microsoft Entra ID configuration exactly which tenants can authenticate through your application.
We recommend you work with your IT team to set up this type of authentication method.
Before you start
- To set up SSO with Microsoft Entra ID, you need the following permissions:
- An Administrator role in Personio, or
- An employee role with edit permissions for Account configuration > Authentication.
- Make sure you’ve already invited your employees to Personio. They each need to activate their account before they can log in.
Decide which tenant setup applies to your organization
Note:
The settings described in this section only apply to Microsoft Entra ID for login. Other Microsoft integrations in the Marketplace don’t support multi-tenant configurations.
Tenant validation controls who can log in to Personio using Microsoft Entra SSO. You can choose the tenant model that fits how your organization uses Microsoft Entra ID.
Review the scenarios in the table below before you start the configuration.
| Tenant model | When it applies | Configuration in Personio |
| Single tenant | All your employees authenticate from one single Microsoft Entra tenant. It doesn’t allow guest users. | Keep the multi-tenant toggle disabled |
| Single tenant and B2B guests | You have one primary Microsoft Entra tenant. You also have some employees who are guest users from another tenant, for example, acquired companies, contractors, etc. | Keep the multi-tenant toggle disabled |
| Multi-tenant | Your organization uses multiple separate Microsoft Entra tenants. For example, you might have multiple legal entities following a merger. | Enable the multi-tenant toggle |
Your employees can only authenticate if their email address matches an employee record in your Personio account. Learn more about login behaviors to expect after configuration.
Register a new application in Microsoft Entra ID
If you haven’t already done so, you need to register a new application in Microsoft Entra ID:
- Log in to the Microsoft Entra admin center.
- Go to Entra ID > App registrations.
- Click New registration.
- Enter a name for the application, for example, "Personio SSO".
- Under Supported account types, select the option that matches your scenario.
- If you select multiple Entra ID tenants:
- For security reasons, we recommend you follow the steps to manage allowed tenants. With this setting, you can add each tenant individually. This allows you to specify which tenants can authenticate through your application.
- If you use a sandbox version of Personio, don’t set up the same Microsoft Entra application in both your sandbox and main accounts. This can result in identities being mixed up. (A sandbox is a separate Personio account that you might use to test specific configurations, integrations, etc.)
- If you select multiple Entra ID tenants:
- Under Redirect URI (optional), select Web as the redirect type and add the value: https://login.personio.com/login/callback
- Register the application.
Once you’ve registered the application, grant API permissions as described below.
Grant API permissions
Remaining in the application you just registered, click API permissions in the left sidebar. The page displays a table with a list of configured permissions. Under Microsoft Graph, make sure the following permissions are in place:
| Field | Permissions needed |
| openid | Required: allows basic Microsoft sign-in |
| profile | Required: reads the user’s profile claim |
| Required: matches the user's email to a Personio employee | |
| offline_access | Required: enables token refresh |
| user.read | Required: reads the signed-in user’s profile |
Copy the client secret and application ID
Remaining in the application you just registered, do the following:
- Click Certificates & secrets in the left sidebar.
- Click New client secret.
- Note down the value (the secret) and the expiry date. You need these for the configuration in Personio.
- Click Overview in the left sidebar.
- Copy the application (client) ID. You need this for the configuration in Personio.
For multi-tenant scenarios, make sure the supported account type in your application registration is set to Accounts in any organizational directory.
Configure Microsoft Entra ID in Personio
To configure Microsoft Entra ID in Personio, follow these steps:
- In Personio, go to Settings.
- In the Security & integrations section, click Security & authentication.
- From the list of login methods, go to Microsoft Entra ID and click Configure.
Fill in the fields as described below.
Provider settings
| Field | Details |
| Callback URLs / Redirect URIs |
Personio pre-fills this field with https://login.personio.com/login/callback. This value is read-only. If you haven’t already done so, copy this value to your Microsoft application registration. You need to paste the value in the Redirect URI field. |
| Email claim |
The system uses a token claim to identify the user's email address. Personio automatically sets it to UPN (User Principal Name), which is correct for most organizations. Change this only if your Entra tenant sends the email in a different claim, for example, email. Note: If you have multiple tenants using different claims, the connection may not work correctly. This is a known limitation. |
Configuration
| Field | Details |
| Multi-tenant (toggle) |
Enable this setting if your organization uses multiple separate Entra tenants. When enabled, users from more than one tenant can authenticate. If you enable this, we strongly recommend following the security recommendation section below to restrict which tenants are allowed. |
| Client ID | The application (client) ID from your Microsoft application registration. |
| Client secret | The client secret value you generated in Microsoft under Certificates & secrets. We recommend you store it securely, as it won’t display once you leave the page. |
| Secret expiry date |
Enter the expiration date of your client secret. Personio sends reminder emails to your Account Owners 30, 14, 7, and 1 day before the date you enter. When you update your secret and expiry date, the reminders stop. We recommend you update this field every time you rotate your secret to keep reminders accurate. If your client secret expires, Personio emails your Account Owner steps to regain access to Personio. |
| Active Directory domain |
Enter your primary Active Directory domain, for example: “yourorganization.onmicrosoft.com”. Learn how to find the Microsoft Entra tenant ID and primary domain name. After configuration, your employees enter their email address on the Personio login page. If their domain matches the Active Directory domain, they're redirected to the Microsoft login flow. |
Login experience (optional)
| Field | Details |
| Button display field |
Enter the text you want to appear on the login button, for example, “Continue with [your text]”. Note that custom text isn’t translated. If you leave this field empty, the login button displays "Continue with SSO" by default. |
| Home Realm Discovery |
Enter a comma-separated domain list. After configuration, your employees enter their email address on the Personio login page. If their email domain matches any domain in the list, they’re redirected to the Microsoft login flow. Use this option if you want to enforce Microsoft login for a certain set of email domains. You can also use it if your Active Directory domain and employee email domain are different. Example: If your employees use @yourorganization.com emails, but the Active Directory domain is yourorganization.onmicrosoft.com, enter yourorganization.com here. |
Once you’ve filled in the fields above, click Submit to save your configuration. You can now enable the connection.
Test the connection
Tip:
Changes to the configuration settings may take up to 30 seconds to take effect. Allow a short delay before running a test.
Before testing the connection, it’s important that you log in as an admin. Your account needs to exist in both Personio and your Entra directory.
In Personio, go to your Microsoft Entra ID configuration settings, enable the connection using the toggle, and click Test. During the test, Personio opens a Microsoft login page in a new tab. Here, you need to enter some correct login credentials. It then returns you to the same page with a success or failure result. This checks if the connection is working.
If the test fails, check the following:
- The client ID and secret are correct.
- The redirect URI in your Microsoft application registration matches the one in Personio.
Understand login behavior after configuration
Once you enable Microsoft Entra ID SSO, the Personio login page always shows an email address input field. This is the case even when Microsoft Entra ID is the only login method.
You can expect the following behaviors after an employee enters their email address:
| Login configuration | Behavior to expect |
| Microsoft Entra ID only |
An employee enters their email address. They don’t need to enter a password.
|
| Microsoft Entra ID and Personio Credentials |
An employee enters their email address.
|