Skip to content

Organizations & SSO

Organizations

Organizations group related tenants together and provide shared SSO configuration. For example, a company with separate Milestone instances for different departments can share a single Microsoft Entra ID setup.

Admin portal — Organizations tab

Creating an Organization

  1. Go to the Organizations tab in the admin portal
  2. Click Create Organization
  3. Enter the organization name and admin email
  4. Click Create

Assigning Tenants

After creating an organization, assign tenants to it:

  1. Edit the organization
  2. Select tenants from the dropdown
  3. Save changes

Tenants inherit the organization's SSO configuration automatically.

Microsoft Entra ID (SSO)

Milestone supports enterprise SSO through Microsoft Entra ID (formerly Azure AD).

Prerequisites

  • An Azure AD tenant
  • An App Registration in Azure AD
  • A client secret for the App Registration
  • The redirect URI configured in Azure AD

Azure AD App Registration

  1. Go to Azure Portal > Azure Active Directory > App Registrations
  2. Click New Registration
  3. Set the redirect URI to: https://your-domain.com/t/{slug}/api/auth/callback
  4. Under Certificates & secrets, create a new client secret
  5. Note the Application (client) ID, Directory (tenant) ID, and the client secret value

Configuring SSO in Milestone

Per-Organization (Multi-Tenant):

  1. In the admin portal, go to the Organizations tab
  2. Click the SSO configure button on the organization
  3. Enter:
  4. Client ID — Application (client) ID from Azure
  5. Tenant ID — Directory (tenant) ID from Azure
  6. Client Secret — The secret value
  7. Save configuration

All tenants in the organization will share this SSO setup.

Per-Instance (Single-Tenant):

Configure SSO in the Settings modal within the application, or set environment variables:

SSO_ENABLED=true
SSO_CLIENT_ID=your-azure-app-client-id
SSO_CLIENT_SECRET=your-azure-app-client-secret
SSO_TENANT_ID=your-azure-tenant-id
SSO_REDIRECT_URI=https://your-domain.com/api/auth/callback

SSO Login Flow

  1. User clicks Sign in with Microsoft on the login screen
  2. Redirected to Microsoft's login page
  3. After authentication, redirected back to Milestone with an authorization code
  4. Milestone exchanges the code for tokens and creates/updates the user session
  5. If the user doesn't exist in Milestone, their account is automatically created

Testing SSO

Use the Test Connection button in the SSO configuration modal to verify the setup works before rolling it out to users.

Group-Based Access Control

Restrict tenant access to users who belong to specific Microsoft Entra ID (Azure AD) security groups.

How It Works

  1. In the admin portal, edit a tenant
  2. Under Group Restrictions, add one or more Azure AD Group IDs (GUIDs from your Entra directory)
  3. Choose the membership mode:
  4. Any (default) — User must belong to at least one of the listed groups
  5. All — User must belong to every listed group
  6. Save the tenant configuration

When a user logs in via SSO, Milestone fetches their group memberships from the Microsoft Graph API and validates them against the tenant's requirements. If the user doesn't meet the group criteria, access is denied.

Finding Azure AD Group IDs

  1. Go to Azure Portal > Azure Active Directory > Groups
  2. Click on the group you want to use
  3. Copy the Object ID (a GUID like a1b2c3d4-e5f6-7890-abcd-ef1234567890)

Use Cases

  • Department isolation — Only R&D department members can access the R&D tenant
  • Project-based access — Create an Azure AD group per project team and restrict the tenant accordingly
  • Compliance — Ensure only authorized personnel can access sensitive project data

Note

Group-based access control requires SSO to be configured. It has no effect on local (email/password) authentication.