Skip to main content

What can we help you with?

As an Admin, you can take a peek into the new Personio experience!

Head to the homepage and switch on the toggle to explore the new Intelligent HR platform, complete with a fresh design and new features. Go ahead and test freely — your changes won't be visible to your employees during this early access phase.

Set up single sign-on (SSO) in Personio with Microsoft Entra ID

This article explains how to set up single sign-on (SSO) in Personio with Microsoft Entra ID. Follow the steps to complete the setup.

Understand SSO and OAuth

SSO allows you to connect Personio to an identity provider such as Microsoft Entra ID or Okta. Personio supports the OAuth 2.0 protocol, an open-source standard for access delegation. When set up, users authenticate through an identity provider. They don't have to use their Personio credentials. If you enable OAuth, employees with a Personio profile can log in to their account without an invitation email.

Note:
Setting up SSO with Microsoft Entra ID doesn't automatically sync Personio application users with Microsoft Entra ID. To do this, you need to set up the integration with Microsoft Entra ID separately. Learn more about our integration with Microsoft Entra ID.

1. Register and create a new application in Microsoft Entra ID

  1. Optional: open Personio and Microsoft Entra ID in separate tabs to simplify setup.
  2. In the Microsoft Entra ID admin center, go to Microsoft Entra ID > App registrations.
  3. To register a new application such as Personio, click New registration.

  4. In the Name field, enter a name for the application, for example, "Personio SSO".
  5. Under Supported account types, select the account type that can use the application or access the API. For security reasons, we recommend selecting Accounts in this organizational directory only (single-tenant). With the other options, it could be possible for users of other tenants to log in to Personio accounts.
  6. In Personio, go to Settings. In the Integrations section, click Authentication. Then, click OAuth 2.0.
  7. Under Provider settings, copy the text next to Callback URI
  8. Return to Microsoft Entra ID. Paste the Callback URI that you copied from Personio into the field under Redirect URI.
  9. You also need to enter the following address into the field under Redirect URI:
  10. Ensure you select Web from the drop-down menu as the redirect type. 
  11. Register the application.

A confirmation message appears, and the system redirects you to the new application.

Tip:
To use SSO in the Personio mobile app, add this callback URI to the redirect URIs in Entra ID: https://auth.personio.de/providers/oauth/callback

2. Copy URIs to Personio

After creating the Personio application, you need to copy the Authorisation URI and the Token URI from Microsoft Entra ID to Personio. You also need to add the Userinfo URI to Personio.

Note:
Microsoft sets the Userinfo URI: https://graph.microsoft.com/oidc/userinfo. It is not specific to your Microsoft Entra ID domain. https://graph.microsoft.com is not sufficient.

  1. In the new application you have created in Microsoft Entra ID, go to Overview > Endpoints and click Endpoints.

  2. Copy the value in the OAuth 2.0 authorization endpoint (v2) field.
  3. In Personio, go to Settings. In the Integrations section, click Authentication. Then, click OAuth 2.0.
  4. Under Configuration, click Edit.

  5. Paste the value that you copied earlier from the OAuth 2.0 authorization endpoint (v2) field into the Authorization URI field.
  6. Return to Overview > Endpoints in Microsoft Entra ID. Copy the value in the OAuth 2.0 token endpoint (v2) field.
  7. Return to Personio. Paste the value into the Token URI field.
  8. Under Userinfo URI, select GET from the drop-down menu. Paste the Userinfo endpoint "https://graph.microsoft.com/oidc/userinfo" into the field. The system selects the Skip reading entities from ID token checkbox by default. This means that, upon login, the system reads user information, including the email address, from the Userinfo URI at login, not the Token URI. Clear the checkbox if you want to read user information from the Token URI at login instead of the Userinfo URI. This makes it possible to use OAuth with Active Directory Federation Services (ADFS).
  9. Under Scopes, enter "openid, email".

Configure issuer and JWKs URI fields

  • The issuer is the issuer identifier of the authorization server in the authorization response. In this field, enter the value of the issuer field from the .well-known/openid-configuration endpoint of your SSO provider.
  • The JSON Web Key Sets (JWKs) URI is the discovery URI to a set of public keys. These keys verify any JSON Web Token (JWT) issued by the authorization server. In this field, enter the value of the jwks_uri field from the .well-known/openid-configuration endpoint of your SSO provider.

You can find the issuer and jwks_uri fields in the discovery document endpoint of your SSO provider. You can usually access this through one of these URLs:

3. Register a new client secret

  1. In the application you have created in Microsoft Entra ID, go to Manage > Certificates & secrets.
  2. Select Client secrets.
  3. The Add a client secret drawer appears.
  4. In the Description field, enter a name for the client secret. Then, choose the relevant expiry date from the Expires drop-down menu.
  5. Click Add.
  6. A page shows an overview of the application credentials. Copy the value listed under the Value column.

  7. In Personio, go to Settings. In the Integrations section, click Authentication. Then, click OAuth 2.0.
  8. Under Configuration, click Edit.
  9. Paste the value that you copied earlier into the Client secret field.
  10. Return to Microsoft Entra ID > Overview. Copy the Application (client) ID value.
  11. Return to Personio. Paste the value into the Client ID field.

4. Select the claim

Under Claim fieldselect the field in Microsoft Entra ID with the email addresses of your employees. To validate that an employee exists in Personio, we check if the value in this field corresponds to the email address used in Personio. Depending on your setup in Microsoft Entra ID, you can choose between "email", "unique_name", "sub", and "upn".

Tip:
If you select Use default, we check the fields "email", "unique_name", and "sub" in sequential order until we find one that contains a value. If the email addresses of your employees are in the User Principal Name (UPN) field in Microsoft Entra ID, select "upn" here.

5. Review and test

  1. Review the data you've entered in Personio.
  2. Submit your changes.
  3. To test the OAuth connection, click Perform a configuration test.
  4. You need to sign in to Microsoft Entra ID. If there are errors, a message appears to help with troubleshooting.

To use SSO, employees need to have user profiles in both Microsoft Entra ID and Personio. The email address entered in Microsoft Entra ID in the field you have selected under Claim field must match the email address used in Personio.

Optional: enforce SSO with Microsoft Entra ID

After setting up SSO with Microsoft Entra ID, login through OAuth is optional. Your employees can choose to log in to Personio using their Personio credentials or through OAuth. To make it mandatory for all employees to log in through OAuth, click Enforce OAuth.

Help us improve. Is this page helpful?