Skip to main content

ClientOne Microsoft 365 SSO (MSP)

This guide walks an MSP admin through turning on the multi-tenant Sign in with Microsoft 365 flow for ClientOne. End users at every client tenant can sign in with their existing M365 account without per-tenant SSO configuration in PanelOne.

Note: The same procedure is in PanelOne → ClientOne Admin → ClientOne SSO (/clientone-admin/sso). In-repo strings: panelone/src/features/clientone-sso/setup-guide-content.ts; long-form runbook: panelone/docs/clientone-sso-msp-runbook.md. Update all sources when instructions change.

It is different from per-client Entra SSO (one app per client). Both flows coexist; the login page prefers ClientOne M365 SSO when the MSP has it enabled.

Overview of the pieces

PieceWhat it isWhere it lives
ClientOne Azure AppMulti-tenant Azure App Registration in your partner tenant.Azure Portal
Partner Center app (optional)AAD app for Partner Center automation of admin consent.Azure Portal + Partner Center
PanelOne — ClientOne SSOWhere you paste credentials./clientone-admin/sso in PanelOne
Grant ClientOne consentPer-client action to consent the app in that tenant.Client detail page in PanelOne
End-user loginClientOne sign-in URL.Default https://app.clientone.dev/login or your ClientOne origin

1. Register the multi-tenant Azure App

  1. Open Azure Portal in your partner tenant.
  2. Microsoft Entra ID → App registrations → New registration.
  3. Name: e.g. ClientOne SSO (customers see this on consent).
  4. Supported account types: Accounts in any organizational directory (multitenant).
  5. Redirect URI: leave blank for now; paste the URL from PanelOne in the next phase.
  6. API permissions: add Microsoft Graph delegated: openid, profile, email, User.Read. Grant admin consent in your partner tenant.

2. (Optional) Register a Partner Center app

Skip if you will run manual admin consent URLs in every client tenant instead of using Grant ClientOne consent in PanelOne.

  1. New registration — single tenant; name e.g. PanelOne Partner Center.
  2. API permission: Microsoft Partner Center → user_impersonation (Delegated); grant admin consent.
  3. Create a client secret; copy the secret value.
  4. MSP account needs a valid Partner Center role.

3. Paste credentials into PanelOne

  1. ClientOne Admin → ClientOne SSO in PanelOne (Owner/Admin only).
  2. Copy Redirect URI (ends with auth-clientone-sso-callback).
  3. In the ClientOne Azure App: Authentication → Web — paste that URI exactly and save.
  4. Create an Azure client secret; copy the value.
  5. In PanelOne fill Azure client ID and Azure client secret (first save requires both).
  6. If using Partner Center automation, fill Partner tenant ID, Partner Center client ID, and Partner Center client secret.
  7. Optional ClientOne origin for a whitelabel hostname.
  8. Toggle Enable ClientOne SSO and Save changes.

Secrets are encrypted per organization; they are not returned to the browser after save.

4. CIPP tenant sync

sync-cipp-tenants (daily 02:00 UTC) fills microsoft_tenant_id on clients so login routing and consent work.

Example manual run:

curl -X POST \
  -H "Authorization: Bearer <anon-key>" \
  https://<project-ref>.supabase.co/functions/v1/sync-cipp-tenants

Confirm each client shows a tenant ID on its Client Info card.

5. Turn on SSO for each client tenant

  1. Clients → [client].
  2. ClientOne Microsoft 365 SSO card → Grant ClientOne consent (requires Partner Center credentials in step 3).

If you skipped Partner Center:

  • Open as Global Admin in the client tenant:
https://login.microsoftonline.com/<client-tenant-id>/adminconsent?client_id=<clientone-azure-app-id>
  • Then set clients.clientone_sso_enabled = true (or use product UI when available).

6. End users sign in

Direct users to your ClientOne origin or https://app.clientone.dev/login. They enter email and choose Sign in with Microsoft 365.

Troubleshooting

SymptomCauseFix
Microsoft sign-in not fully configuredis_enabled but no Azure secret storedRe-save ClientOne SSO with a valid secret
Redirect returns sso_errorBad/expired secret or redirect mismatchRotate secret; match redirect exactly
Token tenant mismatchWrong microsoft_tenant_id on clientRe-run sync / correct tenant ID
Partner Center consent 401Invalid Partner app credentials or roleFix credentials / Partner Center role
sync missing_client_secretCIPP secret missingReconfigure CIPP integration