| Doc. Number | Article Title | Effective Date | Version |
| FHC-INT-04 | Configuring Microsoft Entra Single Sign-On Integration | June 30, 2026 | 0.4 |
This article describes how to set up and use Microsoft Entra (formerly Azure) for Single Sign-On (SSO) login within the FORTH system. It is for Account Administrators and Controlling Company Admins who have backend access to both Microsoft Entra and FORTH CRM integration settings.
The article is organized into the following sections:
Overview
You can use Microsoft Entra (formerly Azure AD) to manage user identities within the FORTH CRM. This integration provides Single Sign-On (SSO) access to improve organizational security and data governance.
Prerequisites
- An active Microsoft Entra Admin account with permissions to create Enterprise Applications.
- An active FORTH CRM account with the Entra Integration add-on enabled by the FORTH team.
- Administrator access within the highest-level (controlling) company of your FORTH account.
How to Access
Contact your FORTH representative to activate Microsoft SSO for your Account.
Click on the Admin tab.
Select Integrations from the navigation bar.
Choose SSO Providers from the left side panel.
Find and click on Microsoft Entra.
(Admin > Integrations > SSO Providers > Entra Integration)
How it Works
To set up the Microsoft Entra integration, the FORTH Team must first request a custom domain, and vhost and then you must configure settings in both the Microsoft Entra Admin center and the FORTH CRM.
Phase 1: Engineering Setup
The controlling company (the highest-level company within the account) should request the configuration of this integration. Configuration is handled by the FORTH Engineering Team. Before configuring the integration, the following must be in place.
Jira Ticket: Request that your FORTH representative opens a ticket to request a custom domain and vhost to the FORTH Engineering Team.
Domain: The custom domain must follow the format: https://[your-account-identifier].forthcrm.com.
Note: SSO will not function on domains outside of forthcrm.com. Clients wishing to use their own domain must set up a redirect to this subdomain.
Internal Approvals: FORTH Engineering must confirm the setup with the FORTH Sales and Billing teams, as SSO logins count toward billable usage.
Phase 2: Configure Microsoft Entra
IMPORTANT: The images used in this section were accurate as of publication of this article. Microsoft may change these pages at any time and does not have to notify FORTH.
- Log in to your Microsoft Entra Admin center.
- Click Enterprise applications found in the left-side panel of the page.
-
Create a new Enterprise Application for the FORTH CRM. Read more on how to do this in this article.
-
Open the Users & Groups section and add the users or groups who need access to the CRM.
-
Open the Single Sign On configuration section and edit the Basic SAML Configuration parameters.
- Set the reply URL to https://[your-account-identifier].forthcrm.com/login.php. Replace [your-account-identifier] with your actual FORTH subdomain.
Note the value in the Identifier (Entity ID) field. You will need this for configuring the FORTH CRM.
-
Open the Attributes and Claims section. Configure the system to pass either the user email (User Principal Name) or a custom user-level field attribute for the numerical FORTH user ID. This information is transmitted by Entra to the FORTH CRM upon successful identity validation.
-
Locate and copy the generated Login URL from the bottom of the page.
Phase 3: Configure the FORTH CRM
To set up this integration in the FORTH CRM once the add-on is enabled:
Log in to the FORTH CRM and navigate to the Microsoft Entra Integration page (Admin > Integrations > SSO Providers > Microsoft Entra).
-
Enter the following information in the corresponding fields:
Domain: "https://[your-account-identifier].forthcrm.com" (Must match the Entra Reply URL).
Entity ID: The "Identifier" copied from Basic Entra SAML settings.
Login URL: The "Login URL" generated by Entra.
Forth SSO Claim Field: The name of the field used to verify the SSO attempt if the Forth User Field is set to Username to verify the SSO attempt.
-
Forth User Field: Select either Email or Username from the dropdown menu (corresponds to the User ID method).
- Email: The user email in FORTH must exactly match the Entra User Principal Name (UPN). Only one user can have an email address associated with an Entra UPN. SSO will fail if the same email is used with multiple users, and an error will be shown.
- Username: The Entra claim must transmit the user's exact numerical FORTH user ID inside a custom field within the Attributes and Claims section named forthuserid.
- User IDs are unique for every user on the FORTH CRM, so an SSO failure when userID is selected as the claim field is likely due to the user ID missing on the Entra side.
Entra can be enabled for specific companies within an account. If configured, only users from these companies can use the integration.
If a FORTH CRM user goes to a generic login domain, e.g., login.forthcrm.com, they can still log in using their regular username/password. FORTH has no way to enforce SSO because it is domain-specific.
- Click Save this Set.
SSO Behavior
Users who access this domain are automatically redirected to Microsoft Entra for SSO. Entra handles all items related to identity verification according to how it is configured. Depending on the organization, this may include 2FA/MFA or additional login steps.
Troubleshooting / FAQ
Why did a user receive an error message during an email-based SSO login?
Email addresses must be completely unique within your FORTH account. If multiple user profiles share the same email address, the SSO login will fail. Ensure every user has a unique email.
Why did a user receive an error message during a username-based SSO login?
FORTH user IDs are completely unique. If this login fails, the forthuserid claim field is likely missing or incorrectly entered on the Microsoft Entra side. Verify the claim mapping in your Entra settings.
Can users still bypass the SSO login screen?
Yes. SSO is domain-specific. If a user visits the generic login.forthcrm.com page, they can still log in using their standard FORTH username and password. To enforce Entra security, ensure your users only use your custom account subdomain link.
Does logging out of FORTH log the user out of Microsoft Entra?
No. Logging out of the FORTH CRM terminates your CRM session only. Your Microsoft Entra session remains active until it expires or until you manually log out of your Microsoft account.
Can a suspended user utilize the Entra SSO?
If a user has been suspended or deleted, they cannot use this SSO.
Do SSO logins change my billing?
Logins completed via Entra SSO count toward your billable usage for that specific user and count toward monthly usage charges. Every SSO login is recorded in the FORTH system log for auditing.
Assistance
For further assistance, reach out to support@setforth.com.
Article Version History:
| Version | Effective Date |
Description |
| Basic | 10/04/2024 | Initial Release |
| 0.1 | 12/10/2024 | Formatting tweaks only. No subject matter updates were made. |
| 0.2 | 12/18/2025 | Refreshed screenshots to reflect changes to the CRM's user interface. |
| 0.3 | 05/07/2026 | Updated note on configurations. Minor formatting updates. |
| 0.4 | 06/30/2026 | Updated language about configuring the Entra SSO Integration and updated the section headers. |