Microsoft Azure AD Integration
Enable your Microsoft 365 and Azure AD users to sign in to your Shopify store using their corporate Microsoft credentials.
Prerequisites
- Azure AD Premium P1/P2 or Microsoft 365 Business Premium
- Application Administrator or Global Administrator role
- SecurePie Professional or Enterprise plan
Setup Instructions
Access Azure Portal
Log in to the Azure Portal and navigate to Azure Active Directory (now Microsoft Entra ID).
- 1.Go to portal.azure.com
- 2.Sign in with your Azure admin account
- 3.Search for "Azure Active Directory" or "Microsoft Entra ID"
- 4.Click on "Enterprise applications"
Create Enterprise Application
Create a new enterprise application for SecurePie.
- 1.Click "New application"
- 2.Click "Create your own application"
- 3.Enter "SecurePie SSO" as the name
- 4.Select "Integrate any other application you don't find in the gallery (Non-gallery)"
- 5.Click "Create"
Configure SAML SSO
Set up SAML-based single sign-on for the application.
- 1.In the application overview, click "Set up single sign on"
- 2.Select "SAML" as the sign-on method
- 3.In "Basic SAML Configuration", click "Edit"
// Basic SAML Configuration Values
{
"Identifier (Entity ID)": "https://securepie.com/saml/your-org-id",
"Reply URL (ACS URL)": "https://securepie.com/saml/acs/your-org-id",
"Sign on URL": "https://your-store.myshopify.com",
"Relay State": "", // Leave empty
"Logout URL": "https://securepie.com/saml/slo/your-org-id"
}Configure User Attributes & Claims
Map Azure AD user attributes to SAML claims.
- 1.In "Attributes & Claims", click "Edit"
- 2.Verify the Unique User Identifier is set to user.userprincipalname or user.mail
- 3.Add the following claims:
// Required Attribute Mappings Claim Name → Source Attribute ───────────────────────────────────────────── email → user.mail firstName → user.givenname lastName → user.surname displayName → user.displayname // Optional Claims department → user.department jobTitle → user.jobtitle groups → user.groups
Download Federation Metadata
Download the SAML metadata to configure in SecurePie.
- 1.In "SAML Certificates" section, find "Federation Metadata XML"
- 2.Click "Download" to save the metadata file
- 3.Also note the "App Federation Metadata Url" for automatic updates
- 4.Download the "Certificate (Base64)" as a backup
Assign Users and Groups
Assign which users or groups can use the SecurePie application.
- 1.Go to "Users and groups" in the application
- 2.Click "Add user/group"
- 3.Select users or groups who should have access
- 4.Click "Assign"
Configure SecurePie
Upload the Azure AD metadata to SecurePie.
- 1.Log in to your SecurePie dashboard
- 2.Go to Settings → Identity Providers
- 3.Click "Add Provider" → "Microsoft Azure AD"
- 4.Upload the Federation Metadata XML file
- 5.Or paste the App Federation Metadata URL for auto-sync
- 6.Click "Save" and test the connection
Advanced: Group-Based Access
You can use Azure AD groups to control access to specific features or pricing tiers in your Shopify store.
// To include group membership in SAML assertions:
1. In "Attributes & Claims", click "Add a group claim"
2. Select "Groups assigned to the application"
3. Under "Source attribute", select "Group ID" or "Display name"
4. Click "Save"
// In SecurePie, map groups to customer tags:
{
"groupMapping": {
"Sales Team": "wholesale",
"VIP Customers": "vip-pricing",
"Partners": "partner-discount"
}
}Conditional Access Policies
Azure AD Conditional Access allows you to enforce additional security requirements when users access SecurePie.
Require MFA
Create a Conditional Access policy to require multi-factor authentication for the SecurePie enterprise app.
Location-Based Access
Restrict access to specific countries or trusted IP ranges using Named Locations in Azure AD.
Device Compliance
Require devices to be compliant with Intune policies before allowing access to your Shopify store.
Sign-in Risk
Block or require MFA for sign-ins that Azure Identity Protection flags as risky.
Common Issues
AADSTS50011: Reply URL mismatch
The Reply URL in Azure must exactly match the ACS URL in SecurePie. Check for trailing slashes and ensure you're using HTTPS.
AADSTS700016: Application not found
Verify you're using the correct tenant and that the application hasn't been deleted. Check the Application ID matches.
Users not seeing attributes
Ensure the user has the attributes populated in their Azure AD profile. Check the "Edit" view of the user to verify.
Need Help?
Our team has extensive experience with Azure AD integrations and can help you configure advanced scenarios.