Microsoft Entra ID/ Azure Active Directory SSO
For Microsoft system administrators looking to Setup SSO for their organization.
Note: “Azure Active Directory” has recently been renamed “Microsoft Entra ID”. These names are considered functionality interchangeable and correspond to the same tool provided by Microsoft via the Azure portal.
Microsoft Entra ID for Avochato
Microsoft Entra ID is used to grant login access to one or more Avochato inboxes on a per-user basis. Configuration is available via the Azure portal.
Getting Started
This guide assumes you have created an Azure account and are using Entra ID
There are three main steps to configuring Avochato and Microsoft Entra ID:
- Authorizing the users or groups that can access the Avochato Entra ID application.
- Inviting those users to the correct Avochato inbox(es) with the correct permissions.
The first two steps are done in the Azure portal — the final step is done in the Avochato app. Read on for more details.
Note that Avochato does not currently support JIT SCIM, thus step 3 is a manual process when adding or adjusting user roles within Avochato and must be done **per user, per inbox**. Please contact your Avochato account manager for help bulk importing groups of users if you are onboarding a large organization.
- Add the Avochato Enterprise Application to your Azure organization
- Log into https://portal.azure.com/#home
- Click “Microsoft Entra ID”
- Click “Add” → “Enterprise Application”
- Find “Avochato” in the list of Enterprise Applications
- Click on the Avochato logo, then click “Add” to add the application to your Organization. You can now find Avochato in the list of Enterprise Applications
- Grant Users or a Group access to the Avochato Enterprise Application.
- From the Azure Portal “Home” page https://portal.azure.com/#home, click “Entra ID”
- Click “Enterprise Applications” in the left-hand menu, then click on Avochato in the app list, then click “Users and Groups” in the left-hand menu
- Click “Assign users and groups” - Select which user(s) or groups should have access to use Microsoft SSO to log into Avochato. Only the users (or groups of users) who are added to the Avochato application in this portal will be able to “Sign in with Microsoft” via www.avochato.com/signin
- Invite each of the users from Step 2 to one (or more) inboxes in Avochato
- Log into www.avochato.com
- Navigate to the “Invite Users” tab to begin inviting users to an inbox. Note that each inbox in your Avochato Organization has a unique list of users. Users can be added or removed independently from each inbox by “Manager” or “Owner”-tier users in your Organization.
- Invite users using their matching “User principal name” in Azure by typing it into the invite form. This must match exactly for each user you chose to invite. Not the “Email” field in Azure.
- Repeat steps 2 and 3 with any new users or groups of users that you intend to grant access to the Avochato application as you onboard more teammates, and repeat step 3 in each separate inbox that you wish to add to Avochato (optional - if you are setting up multiple inboxes).
- Confirm with your users that they can access Avochato - upon first login, they will be prompted to accept terms and conditions, then they will automatically redirected to the Avochato application for onboarding.
- You’re done!
Any Users added in Step 2 will receive an error when they click “Sign in with Microsoft” until you complete this step. If a user has already been invited, proceed to step 5. Users that do not belong to any of your organizations inboxes (or are marked as disabled in all of your inboxes) will be unable to view any of the inboxes in your organization.
You can invite more than one user at a time by pasting a comma separated list (CSV) of user emails corresponding with the user emails of the users you added in step 2. Note: These emails must match the corresponding User Principle Name exactly in order for single-sign on to validate signing in via Entra ID.
Note on Avochato Roles: You can assign the default Role in Avochato, or select a custom role. Roles determine the default settings for notifications at the time of creation, and a user’s settings can be edited any time after they accept an invite.
Note on “Members”, “Managers” and “Owners”: Users default to “Members” which can make calls, view conversations, and send text messages. “Managers” have advanced permissions, including the ability to add or remove other Members from the inboxes they can manage. “Owners” can promote members to managers and vice versa, as well as assign other permissions to individual users.
Owners (and users who have the “Can View Organization” permission) can navigate to www.avochato.com/organizations to view and manage multiple accounts or multiple users at once, which can make this process easier for larger organizations.
Users can now log into Avochato via www.avochato.com/signin
Removing Users/Groups from the Avochato Entra ID
Similar to any other Enterprise Application in Entra ID, simply navigate to the Avochato Application and click “Users and Groups” and remove or disable the users which you do not want to have access to Avochato. This will disable their ability to sign into Avochato with Microsoft Entra ID via the “Sign in with Microsoft” button.
While this restricts their access to your Avochato instance, this does not remove their user data (including assignment, message logs, profile etc) from Avochato inboxes - we recommend ‘disabling’ them via the Organization Management dashboard or alternatively deleting the user from the inbox(es) in your organization or the Invite Users page.
Please contact your Avochato account manager or text our support line for help removing users or groups of users.
Removing the Avochato Application from Entra ID
To remove Avochato from your organization’s Entra ID configuration, navigate to the Azure portal → Enterprise Applications → Avochato → Properties → Delete. This will delete the application and your users will no longer be able to access Avochato via “Sign in with Microsoft”.
If you disconnect Avochato in this way, and wish to reconnect in the future, you will need to redo steps 1 and 2 in order to re-establish the SSO integration in the future, but you do not need to re-invite users that already exist with a corresponding User Principle Name.
Note: This does not delete your Avochato organization, user metadata, message or contact history, or any data stored securely in Avochato. For full off-boarding of user or customer data, please contact Avochato support. FAQs.
Is Microsoft Entra ID required to use Avochato?
No - even if your organization uses Microsoft Entra ID, or the Azure cloud ecosystem, you are not required to sign into Avochato using Entra ID.
How do I provision new users in Avochato?
After enabling the user’s access via Entra ID, you must also invite the user using the same email address that is associated with their Entra ID to one or more inboxes in Avochato. To mass invite a list of users to an inbox, you can paste a CSV of email addresses in the “Invite Team” section of a given inbox.
To mass invite one or more users to multiple inboxes, as well as mass-assign Avochato roles or permissions, please reach out to your Avochato account manager.
Do all my users need to have access to Entra ID to use Avochato?
No - you can grant as many or as few users in your organization access to Avochato as necessary.
Following the principle of least privilege, we recommend limiting permission to access Avochato inboxes to a need-to-know basis. While it is technically possible to invite external users that do not belong to your Entra ID organization, we advise against this unless absolutely necessary — all users invited to one or more Avochato inboxes should correspond to a user in Entra ID if your team is leveraging Entra ID as an identity management solution. Additionally: you can view the Organization Management dashboard to see the complete list of users in your organization and their permissions. This dashboard is visible to Owner-type Avochato users as well as users in your organization who have been granted the “View Organization” permission.
As a reminder, only users with the Manager role can invite users to an inbox, and subsequently only users with the Owner role can promote users to the Manager role or grant the “View Organization” permission. Currently these roles and permissions cannot be automatically managed via Microsoft Entra ID
Is Microsoft Entra ID the only way my team can sign into Avochato?
No - currently, you can invite users via their email address and assign roles and permissions to them, which also allows them to sign in via their email address or phone number.
Users who have been invited to Avochato inboxes can reset their passwords via a confirmation email to the email address associated with their account.
Users can sign in via their email and password, or via a secure code texted to the phone number associated with their user profile after being invited to an Avochato account.
To prevent users from accessing Avochato inboxes, they should be off-boarded from the Avochato platform manually in addition to having their permission revoked in Entra ID. For assistance, please contact your Avochato account manager.
Does Avochato support automatic SCIM provisioning?
Currently no.
Users must be given the proper entitlement to log into Avochato using the Entra ID console just like any other application, and also invited to one or more Avochato inboxes via the Invite Team tab (using the same email as their Microsoft Entra ID.
If a user’s Entra ID email changes or they are given a different identifier, the corresponding email change must be made to their Avochato User. Please contact your account manager for more details.
Can I ‘Sign in via Microsoft’ as another user?
No, you can only sign in via the Entra ID you have access to.
If I edit a user or group in Entra ID, will it automatically update permissions or roles in Avochato?
Currently no - Avochato permissions can be revoked in Entra ID, but this only prevents using the “Sign in with Microsoft” functionality - user groups and roles must be managed via the Avochato Organization Management dashboard, and can be configured on a per-account basis for each user in your organization.
For more information or requests for advanced user management, please contact your Avochato account manager.
How can I securely remove my users from Avochato while using Microsoft Entra ID?
1) After you have given users or groups the entitlement to log into Avochato via Entra ID, you can subsequently remove users or groups in Entra ID to revoke their access.
This will prevent these users from logging in via “Sign in with Microsoft” but does not revoke notification or role-based permissions in Avochato.
2) If you need to deprovision one or more users within Avochato, you can do so via the Avochato Organization Management dashboard. Users can be removed from individual inboxes or from all inboxes, and their permissions can be edited on a per inbox basis. If you need to mass-remove a set of users, revoke roles from specific users across many inboxes, or wish to anonymize your user data as part of off-boarding users from the Avochato platform, please contact your Avochato account manager.