Inforcer supports SSO integration for multiple tenants with Microsoft 365 using SAML. This allows client administrators to authenticate using their existing Microsoft credentials and self-provision access without needing manual onboarding from an account manager.
By setting up SSO in inforcer, you ensure that user access to Inforcer inherits the same identity security controls applied within Microsoft Entra ID.
Why SSO Matters
Centralized Identity Management
Users authenticate with their Microsoft 365 credentials, eliminating password sprawl and reducing credential risk.
Stronger Security
SSO enforces Microsoft security controls including:
Multi-Factor Authentication (MFA)
Conditional Access policies
Risk-based sign-in
Identity Protection policies
Access to Inforcer is therefore governed by the same Zero Trust principles protecting the Microsoft tenant.
Seamless User Experience
One login session grants access to:
Microsoft 365 workloads
Inforcer platform
No additional passwords. No duplicate identity stores.
Rapid Deprovisioning
Disable a user in Microsoft 365, and their Inforcer access is immediately revoked.
This ensures proper identity lifecycle management and supports joiner/mover/leaver processes.
Compliance & Auditing
Because authentication is centralized:
Sign-in logs remain in Entra ID
Access is governed by Conditional Access
RBAC aligns to least-privilege principles
Audit trails support regulatory requirements
SSO Setup Overview (SAML)
Full walkthrough:
https://docs.inforcer.com/en/articles/11660249-setup-single-sign-on-sso-between-inforcer-and-microsoft-365-via-saml
Important Design Notes
In the demonstration video:
A security group named inforcer-sso is used to scope access.
This is ideal for tenants with Entra P1/P2 licensing.
For Microsoft 365 Business Standard tenants, assignment must be done per-user (group-based app assignment is a licensing limitation).
Breakglass Access: In my professional opinion, it's best practice to keep one user as an admin and not integrate into SSO. This ensures ease of access if the SAML Certificate expires and users lose access.
How to Setup SSO Walkthrough
Thinking through RBAC and the Roles:
Microsoft recommends RBAC as a foundational security best practice for all cloud environments, including Microsoft 365
Think in terms of operational separation:
1️⃣ Architect Role (Administrative)
Intended For:
Security Architects
Senior Engineers
Platform Owners
Capabilities:
Create and modify baselines
Define best practices
Manage tenant configurations
Assign roles to other users
High-level access decisions
This role carries strategic control over policy design and governance.
2️⃣ Engineering Role (Operational)
Intended For:
Day-to-day operations teams
Deployment engineers
Technical support teams
Capabilities:
Align tenants to baselines
Push policies
Review configuration drift
Execute operational changes
Limitations:
Cannot create or modify baselines
Cannot change global architecture decisions
This enforces separation of duties between design and execution.
3️⃣ Read-Only Role (Reporting & Business Visibility)
Intended For:
Technical Account Managers (TAMs)
Sales Engineers
Business Operations
Capabilities:
View configurations
Generate reports
Review compliance posture
Limitations:
No modification rights
No baseline changes
No tenant configuration changes
This enables business insight without operational risk.
Testing out the SSO and discussing RBAC
Creating New RBAC Roles and Modifying Users