> For the complete documentation index, see [llms.txt](https://docs.devolutions.net/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.devolutions.net/cloud/knowledge-base/how-to-articles/modify-an-existing-sso-configuration-for-entra-id-provisioning.md).

# Modify an existing SSO configuration for Entra ID provisioning

If you have enabled single sign-on (SSO) with Devolutions Cloud prior to January 9, 2023, it is not configured for Provisioning with Entra ID. To benefit from this feature, you must create a new configuration with Entra ID that will synchronize your desired ***User groups*** with Devolutions Cloud.

### Create an Enterprise Application in Entra ID and Change the OpenID Configuration

* Since you have already configured the single sign-on authentication, you will need to create a new enterprise application in Entra ID following the steps in [Configure SSO Authentication with Microsoft Entra ID](https://docs.devolutions.net/cloud/getting-started/get-started-with-sso-in-devolutions-cloud/configure-sso-authentication-microsoft-azure/) and edit the current OpenID configuration in Devolutions Cloud.
* The provisioning feature with Entra ID has to be done within this new enterprise application.
* After the synchronization is done, verify that all your existing users are flagged as synced and that they are in their respective Azure ***User Groups***. If some users are not flagged as synced, it means that they are not members of any Azure group that is part of the enterprise application in Azure.

{% hint style="info" %}
To avoid any downtime during this new setup, you need to complete the configuration in Devolutions Cloud. Once the new values are saved, the Microsoft authentication will change the enterprise application and should be seamless.
{% endhint %}

### Replace Devolutions Cloud Custom User Groups with Azure User Groups

{% hint style="success" %}
Note that this task can be done whenever you have the opportunity, a group at a time.
{% endhint %}

If you have Devolutions Cloud ***Custom User Groups***, ensure that you have an Azure ***User Group*** that contains the same users.

Once the Azure groups correspond to the custom groups, you can start to replace those custom groups with the Azure groups wherever you assign them in ***System Permissions***, ***Vault Permissions***, and ***Folder/Entry Permissions***.

{% hint style="info" %}
Contact our customer support team at <service@devolutions.net> if you need help.
{% endhint %}


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.devolutions.net/cloud/knowledge-base/how-to-articles/modify-an-existing-sso-configuration-for-entra-id-provisioning.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.