>
    Strata Copilot
    Onboarding an App Using Azure AD Credentials
    Focus
    Download PDF
    Focus
    1. Home
    2. SaaS Security
    3. Onboard SaaS Apps Supported by SSPM
    4. Onboarding an App Using Azure AD Credentials
    Download PDF
    SaaS Security

    Onboarding an App Using Azure AD Credentials

    Table of Contents

    Onboarding an App Using Azure AD Credentials

    To access an administrator account for an app through Azure Active Directory (AD) single sign-on (SSO), SSPM requires your Azure credentials and an MFA secret key that Azure generates.
    Where Can I Use This?What Do I Need?
    • Strata Cloud Manager
    • SaaS Security Posture Management license
    Or any of the following licenses that include the Data Security license:
    • CASB-X
    • CASB-PA
    Depending on the app that you are onboarding, you might have the option to connect SSPM to the app by using administrator credentials. For some apps, you can access the administrator account through Azure Active Directory (AD) single sign on (SSO) instead of using direct authentication to the app.
    Connecting to the administrator account through Azure AD provides an extra layer of security, because this onboarding method uses multi-factor authentication (MFA) to access the administrator account. To enable MFA, you configure the Azure AD account to require MFA that uses time-based one-time passcodes (TOTPs). Authenticator apps, such as Google Authenticator, generate the TOTPs by using an MFA secret key. The MFA secret key is a shared secret between Azure AD and the authentication app for generating matching passcodes for verification. When you onboard an app using Azure AD credentials, you must provide SSPM with the MFA secret key. Like an authenticator app, SSPM will use the MFA secret key for passcode generation.
    In Azure AD, you configure an account to require TOTPs by enabling OATH tokens for the account.
    1. Enable MFA using OATH TOTP for the app administrator's Azure AD account.
      1. Open a web browser and navigate to the Azure portal. Log in using an administrator account assigned to the Global Admin role. You can log in as the app administrator whose credentials you will supply to SSPM, or as a different administrator.
      2. In the Azure portal, navigate to the authentication methods policies page (Authentication methodsPolicies).
      3. In the Method list, select Third-party software OATH tokens.
      4. On the settings page for third-party software OATH tokens, make sure the method is enabled. Make sure that the app administrator whose credentials you will supply to SSPM is included in the target group for the method.
    2. Generate and copy an MFA secret key.
      If the app administrator's account is already configured for MFA, and if you know the MFA secret key value, you don't need to complete the following steps. You need only provide the MFA secret key to SSPM during the onboarding process. If the app administrator's account isn't configured for MFA, complete the following steps. If the app administrator's account is already configured for MFA but you don't know the MFA secret key, reregister the account for MFA and complete the following steps:
      1. Decide which authentication app you will use and download it to your cellphone. SSPM does not support the Microsoft Authenticator app for onboarding an app using Azure AD credentials. Instead, use another app that supports TOTP generation, such as Google Authenticator.
      2. Log in to Microsoft using the app administrator account whose credentials you will supply to SSPM. The administrator account must be assigned to the Global Admin role. You can log in from the URL aka.ms/MFASetup.
      3. From the My Sign-Ins page, select Security info Add sign-in method.
      4. On the Add a sign-in method dialog, select Microsoft Authenticator.
      5. The dialog prompts you to configure your cellphone with the Microsoft Authenticator app or with a different authenticator app. Because SSPM does not support the Microsoft Authenticator app for this action, click I want to use a different authenticator app.
      6. Follow the onscreen instructions for setting up the authenticator app, but, when you are presented with a QR code that contains the MFA secret key, don't scan it with your authenticator app. Instead, you will first copy the MFA secret key:
        1. On the page of the dialog that displays the QR code, click Can't scan image?.
          The dialog displays the MFA secret key as a character string in addition to the QR code.
        2. Copy the MFA secret key into a text file.
          Do not continue to the next step unless you have copied the MFA secret key. You must provide this key to SSPM during the onboarding process.
        3. Continue configuring your authenticator app by scanning the QR code or by manually entering the MFA key. Complete the remaining setup steps as prompted by the dialog.

    © 2026 Palo Alto Networks, Inc. All rights reserved.