# External Identity Provider Configuration - Azure IDP
#### Service Provider Configuration
The page [here ](https://help.cymmetri.io/identity-hub/authentication/service-provider)shows how to configure a Service Provider.
#### Microsoft Entra Configuration
Now Login to the Microsoft Entra portal,
Navigate to Enterprise applications and select New Application.
Click on Create your own application, Enter the Application Name and click on the Create button.
Once the application is created click on the Single Sign On menu and Set up Single Sign-On with SAML
Download a metadata file from Cymmetri- Service Provider page (how to create service provider is shown above)
Upload the downloaded metadata file here:
The Identifier (Entity ID) and Assertion Consumer Service URL from the XML file downloaded in previous step are populated, then save the configuration.
Download the Certificate (Base64) from SAML Certificates.
#### Assigning Users to the Application
Assigning users to applications in Microsoft Entra Enterprise Application that we just created to allow users to use Azure(Microsoft Entra) as an External Identity provider
Navigate to Enterprise applications and select the application you created above
Go to Users and Groups, and select Add user/group and add the user.
#### Cymmetri IDP Configuration
Navigate to External IDP in Identity Provider.
Select Azure-IDP.
Configure Azure AD for Creating Identity provider configuration
Next, Continue the configuration of Identity Provider In Cymmetri Administration Console, copy Microsoft Entra Identifier from Set up, navigate to azure-idp in Cymmetri, and paste it in Entity ID.
Similarly, copy the login URL and paste it into the Single Sign On Service URL in Cymmetri.
Replace the text "\" as the URL of the Cymmetri deployment (e.g., [https://aktestidp.ux.cymmetri.in](https://aktestidp.ux.cymmetri.in/) in the *destination* field - "https\://*\*/spsamlsrvc/samlSP/SingleSignOnService" as "spsamlsrvc/samlSP/SingleSignOnService".
Open the Base64 certificate downloaded in step 12, copy it, and then paste it into the x509Certifcate field in Cymmetri.
Select the created service provider in the Service Provider Id field dropdown and save the changes.
For enabling Azure IDP to be used as an IDP for a specific set of users an Authentication Rule needs to be configured. [Here ](https://help.cymmetri.io/identity-hub/authentication/authentication-rules)you can see the steps on how to configure Authentication Rules.
#### Configuring JIT provisioning in Cymmetri
If JIT provisioning needs to be enabled for Azure AD(Microsoft Entra) as external Identity provider, we may set it up using the steps below.
Navigate to JIT in external identity provider and enable JIT Configuration.
The following fields are mandatory in Cymmetri - firstName, lastName, login, userType, displayName, and email.
For Azure JIT configuration, the following mapping needs to be done -
| Label | Application Field | Cymmetri Field |
| ---------------- | ----------------------------------------------------------------- | -------------- |
| First Name | | firstName |
| Last Name | | lastName |
| Login (Username) | | login |
| User Type | any string | userType |
| Display Name | | displayName |
| Email Address | | email |
#### Checking the Azure Authentication
Login to cymmetri using Azure Email Address
The user will be redirected to the Azure portal to enter the Azure credentials.
Once the credentials have been entered properly in the Azure portal, the user will be redirected back to Cymmetri and will be logged in successfully.
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://help.cymmetri.io/identity-hub/authentication/identity-provider/external-idp/external-identity-provider-configuration-azure-idp.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.
