Identity Provider

Microsoft Azure AD Integration

Enable your Microsoft 365 and Azure AD users to sign in to your Shopify store using their corporate Microsoft credentials.

15 min setup
SAML 2.0 & OIDC

Prerequisites

  • Azure AD Premium P1/P2 or Microsoft 365 Business Premium
  • Application Administrator or Global Administrator role
  • SecurePie Professional or Enterprise plan

Setup Instructions

1

Access Azure Portal

Log in to the Azure Portal and navigate to Azure Active Directory (now Microsoft Entra ID).

  1. 1.Go to portal.azure.com
  2. 2.Sign in with your Azure admin account
  3. 3.Search for "Azure Active Directory" or "Microsoft Entra ID"
  4. 4.Click on "Enterprise applications"
2

Create Enterprise Application

Create a new enterprise application for SecurePie.

  1. 1.Click "New application"
  2. 2.Click "Create your own application"
  3. 3.Enter "SecurePie SSO" as the name
  4. 4.Select "Integrate any other application you don't find in the gallery (Non-gallery)"
  5. 5.Click "Create"
3

Configure SAML SSO

Set up SAML-based single sign-on for the application.

  1. 1.In the application overview, click "Set up single sign on"
  2. 2.Select "SAML" as the sign-on method
  3. 3.In "Basic SAML Configuration", click "Edit"
Configuration
// Basic SAML Configuration Values
{
  "Identifier (Entity ID)": "https://securepie.com/saml/your-org-id",
  "Reply URL (ACS URL)": "https://securepie.com/saml/acs/your-org-id",
  "Sign on URL": "https://your-store.myshopify.com",
  "Relay State": "", // Leave empty
  "Logout URL": "https://securepie.com/saml/slo/your-org-id"
}
4

Configure User Attributes & Claims

Map Azure AD user attributes to SAML claims.

  1. 1.In "Attributes & Claims", click "Edit"
  2. 2.Verify the Unique User Identifier is set to user.userprincipalname or user.mail
  3. 3.Add the following claims:
Configuration
// Required Attribute Mappings
Claim Name          →    Source Attribute
─────────────────────────────────────────────
email               →    user.mail
firstName           →    user.givenname  
lastName            →    user.surname
displayName         →    user.displayname

// Optional Claims
department          →    user.department
jobTitle            →    user.jobtitle
groups              →    user.groups
5

Download Federation Metadata

Download the SAML metadata to configure in SecurePie.

  1. 1.In "SAML Certificates" section, find "Federation Metadata XML"
  2. 2.Click "Download" to save the metadata file
  3. 3.Also note the "App Federation Metadata Url" for automatic updates
  4. 4.Download the "Certificate (Base64)" as a backup
6

Assign Users and Groups

Assign which users or groups can use the SecurePie application.

  1. 1.Go to "Users and groups" in the application
  2. 2.Click "Add user/group"
  3. 3.Select users or groups who should have access
  4. 4.Click "Assign"
7

Configure SecurePie

Upload the Azure AD metadata to SecurePie.

  1. 1.Log in to your SecurePie dashboard
  2. 2.Go to Settings → Identity Providers
  3. 3.Click "Add Provider" → "Microsoft Azure AD"
  4. 4.Upload the Federation Metadata XML file
  5. 5.Or paste the App Federation Metadata URL for auto-sync
  6. 6.Click "Save" and test the connection

Advanced: Group-Based Access

You can use Azure AD groups to control access to specific features or pricing tiers in your Shopify store.

// To include group membership in SAML assertions:

1. In "Attributes & Claims", click "Add a group claim"
2. Select "Groups assigned to the application"
3. Under "Source attribute", select "Group ID" or "Display name"
4. Click "Save"

// In SecurePie, map groups to customer tags:
{
  "groupMapping": {
    "Sales Team": "wholesale",
    "VIP Customers": "vip-pricing",
    "Partners": "partner-discount"
  }
}

Conditional Access Policies

Azure AD Conditional Access allows you to enforce additional security requirements when users access SecurePie.

Require MFA

Create a Conditional Access policy to require multi-factor authentication for the SecurePie enterprise app.

Location-Based Access

Restrict access to specific countries or trusted IP ranges using Named Locations in Azure AD.

Device Compliance

Require devices to be compliant with Intune policies before allowing access to your Shopify store.

Sign-in Risk

Block or require MFA for sign-ins that Azure Identity Protection flags as risky.

Common Issues

AADSTS50011: Reply URL mismatch

The Reply URL in Azure must exactly match the ACS URL in SecurePie. Check for trailing slashes and ensure you're using HTTPS.

AADSTS700016: Application not found

Verify you're using the correct tenant and that the application hasn't been deleted. Check the Application ID matches.

Users not seeing attributes

Ensure the user has the attributes populated in their Azure AD profile. Check the "Edit" view of the user to verify.

Need Help?

Our team has extensive experience with Azure AD integrations and can help you configure advanced scenarios.

Contact SupportBack to Docs