Azure AD SSO WebAdmin / API permissions


what API permissions do I need for the Azure AD app?

I have reduced it up to the following permissions, seems to work:

Would that be fine?

What I noticed so far:

- on every successful SSO, access_server will log: [OTP_AUTH]: (otp_handle_prepare_authentication_request): Password is NULL

- after logging out and logging in again, identity provider and XG will sometimes re-use the UPN of the previous login. I find that odd, I would expect the Azure AD login page to appear again. This happens sporadically, also. Might be browser or cookie issue, they should be deleted upon logout. I do not have the same issue with other applications set up on Azure AD identity provider.

Apart from that, looks good so far.

Kind regards,


Parents Reply
  • Hi Cougz,

    OAuth2 (SSO) is not supported for the Captive Portal. It is in our roadmap. Please ignore the captive portal log files (those are placeholders for future support). 

    Logout behavior: Currently, we don't delete the authentication token (cookies) when the user clicks the logout button from SFOS. Deleting token and authentication material will log out the user from all the Azure (Microsoft) apps that the user may not want.