Microsoft Entra ID
Configure SSO and user provisioning with Microsoft Entra ID (Azure AD)
Integrate Verkada Command with Microsoft Entra ID (formerly Azure AD) for Single Sign-On (SSO) and automated user provisioning.
OIDC SSO
Yes
SAML SSO
Yes
SCIM Provisioning
Yes
ECE Support
Yes
OIDC Single Sign-On
Verkada Command supports Single Sign-On (SSO) through OpenID Connect (OIDC) with Azure Entra. This integration allows users to seamlessly and securely authenticate using their existing Azure Entra credentials.
OIDC is not supported on the Pass app or Desk Station apps.
Azure Entra configuration
Log in to your Azure Entra portal.
Search for and select App registrations.
Click New Registration.
a. Name the application Verkada SSO OIDC. b. Under Supported account types, select Accounts in this organizational directory only ( only - Single tenant). c. Under Redirect URI, select Single-page application (SPA) as the platform and add the following callback URLs:
https://command.verkada.com/oidc/aad/callbackhttps://org-short-name.command.verkada.com/oidc/aad/callback(replace org-short-name with your Command organization's short-name)
Note: Verify there is no trailing slash in the callback URI.
Click Register.
Copy and store your Application (Client) ID and Directory (Tenant) ID in a safe place. You will need them to complete the setup in Verkada Command.
On the left, click Manage > Expose an API.
a. Click Add a scope. b. Click Save and continue. c. Enter verkada_ece for the following fields:
Scope name
Admin consent display name
Admin consent description
User consent display name
User consent description
d. Set Who can consent? to Admins and users. e. Click Add scope.
Verkada Command configuration
In Verkada Command, go to All Products > Admin.
In the left navigation, select Login & Access.
Select Single Sign-On Configuration.
Under OIDC Configuration, click Add New.
a. Toggle on Enable. b. (Optional) Toggle on Require OIDC SSO. c. Under Select Provider, select Azure Entra. d. Under Add Client and Tenant, click :plus:.
In the Client ID field, paste the Client ID you copied from Azure Entra.
In the Tenant ID field, paste the Tenant ID you copied from Azure Entra.
Click Done.
e. Under Email Domains, click :plus:.
Enter your domain name (e.g., @verkada.com).
Click Done.
Click Run Login Test.
A successful login test should redirect to the OIDC configuration page. Once you're logged in, add the domain that you need to whitelist.
Once your domain is added, run the login test again. SSO will not be enabled until this second login test successfully completes.
Once your domain is verified, you should see it successfully validated.
SAML Single Sign-On
Verkada Command is registered as a gallery application and can be found within the Microsoft Entra ID marketplace. You can use it with Microsoft Entra ID Free, Microsoft Entra ID P1, and Microsoft Entra ID P2 licenses.
To get started, you need your client-ID. Learn how to generate it and configure your email domains, then return to this article to complete the process.
Set up SAML in Microsoft Entra ID
Add Verkada Command as an enterprise application in your Microsoft Entra ID directory: Go to your Microsoft Entra ID overview page and select Enterprise applications.
At the top of the page, select New Application and search for Verkada Command.
Select Verkada Command and click Create.
Be patient as it can take a few minutes to add the application to your Microsoft Entra ID tenant.
On Set up single sign-on, click Get started.
Choose SAML as the single sign-on method.
If necessary, click Edit to further configure your SAML connection.
Configure the following fields. Add your client ID to the end of each URL.
a. For Identifier:
US orgs:
https://vauth.command.verkada.com/saml/sso/<client-ID>EU orgs:
https://saml.prod2.verkada.com/saml/sso/<client-ID>AUS orgs:
https://saml.prod-ap-syd.verkada.com/saml/sso/<client-ID>
b. For Reply URL:
US orgs:
https://vauth.command.verkada.com/saml/sso/<client-ID>EU orgs:
https://saml.prod2.verkada.com/saml/sso/<client-ID>AUS orgs:
https://saml.prod-ap-syd.verkada.com/saml/sso/<client-ID>
c. For Sign on URL:
US orgs:
https://vauth.command.verkada.com/saml/login/<client-ID>EU orgs:
https://saml.prod2.verkada.com/saml/login/<client-ID>AUS orgs:
https://saml.prod-ap-syd.verkada.com/saml/login/<client-ID>
Click Save.
On Attributes & Claims, click Edit to be consistent with these attributes:
On SAML Signing Certificate, click Download to save the Federation Metadata XML for later.
If you use a different source attribute for email, configure the attributes according to the source attribute you want to use.
Upload your Federation Metadata XML in Command
After you have completed the steps in Microsoft Entra ID and downloaded the metadata, upload the XML metadata file in Command.
Test the SAML Connection
Once the file is uploaded, in your Microsoft Entra ID, click Test to test the integration.
Log in with Sign in as current user. If everything is set up correctly, you should be redirected to the Command platform.
Log in with single-sign on to verify access to Command.
Microsoft Entra ID does not support nested groups for app access at this time. All users must be direct members of groups for assignment.
Log in via the mobile application
In the email address field, enter your email and click Next. You should be redirected to your IdP (Microsoft Entra ID) to complete the login process.
SCIM User Provisioning
Verkada Command integrates with Microsoft Entra ID using System for Cross-Domain Identity Management (SCIM) for automated user and group provisioning.
SCIM synchronizes users and groups from Microsoft Entra ID directly into Command. This lets you:
Retain Microsoft Entra ID as your central IdP
Automatically update users and groups in Command as changes occur in Entra ID
Assign and manage permissions in Command using your existing identity structure
Generate SCIM token in Command
In Verkada Command, go to All Products > Admin.
Under Org Settings, select Login & Access & Logs > SCIM Users Provisioning.
Click Add Domain, and enter all relevant email domains you plan to use with SCIM.
This generates a SCIM token, which is viewable only once.
a. Click Copy and store the token in a secure place. b. Click Refresh to generate a new token if needed.
Configure SCIM in Microsoft Entra ID
From the Microsoft Entra ID homepage, select Enterprise applications > New application > Create your own application.
In the Create your own application side panel, type the application's name, select the non-gallery application, and click Create.
Under Provision User Accounts, click Get started.
Select Manage > Provisioning.
On the provisioning page:
a. Set the Provisioning Mode to Automatic. b. Set the Tenant URL:
US orgs:
https://api.command.verkada.com/scimEU orgs:
https://scim.prod2.verkada.com/scimAUS orgs:
https://scim.prod-ap-syd.verkada.com/scim
c. Fill in the SCIM token from Command as the secret token.
Click Test Connection. You should see a confirmation that the SCIM connection is successful.
Click Save.
Configure group attributes
In the Entra ID portal, click to expand the Mappings dropdown, and select Provision Microsoft Entra ID Groups.
Configure your mappings to match this screenshot:
Note: The externalId attribute is added by default. Remove this attribute to avoid issues.
(Optional) If you need to add a mapping:
a. Click Add New Mapping > select the Source attribute. b. Set the Target attribute to match. c. Click OK.
Click Save and confirm changes.
At the top, select Provisioning to return to the Provisioning page.
Configure user attributes
In the Entra ID portal, click to expand the Mappings dropdown, then select Provision Microsoft Entra ID Users.
Update your mappings to match the attribute table below.
Note: The Switch attribute under Microsoft Entra ID Attribute is added as an Expression mapping type:
Click Save to confirm the changes.
At the top, select Provisioning and toggle on Provisioning Status.
Adjust the scope as needed:
Sync all users and groups
Sync only assigned users and groups
Verify that users are assigned to the application. After the initial provisioning cycle:
a. You should see the total users and groups provisioned under Overview. b. In Command, users and groups appear with the SCIM Managed tag.
Delete SCIM-managed users
When a SCIM-managed user is deactivated in your identity provider, you can remove them from Command in two ways:
Delete the user – Moves to Deleted Users page, keeps historical records
Permanently remove the user – Erases all roles, credentials, access logs, and data
You must deactivate the user in your IdP before either deletion option is available in Command.
Add access credentials (optional)
Log in to your Azure portal.
Search for and select Enterprise Applications.
Select your Verkada SCIM application.
On the left panel, click Manage > Provisioning.
Expand the Mappings submenu and select Provision Microsoft Entra ID Users.
At the bottom, click Show advanced options > Edit attribute list for customappsso.
Add the attributes from the table below, then click Save.
Go back to Provision Microsoft Entra ID Users and select Add New Mapping.
Use extensionAttributes 1-5 as Source Attributes and map them to Card Format, Card Number, Card Number Hex, Credential Status, and Facility Code.
Credential attributes:
urn:ietf:params:scim:schemas:extension:verkada:access:2.0:User:cardFormat
String
urn:ietf:params:scim:schemas:extension:verkada:access:2.0:User:cardNumber
String
urn:ietf:params:scim:schemas:extension:verkada:access:2.0:User:cardNumberHex
String
urn:ietf:params:scim:schemas:extension:verkada:access:2.0:User:credentialStatus
String
urn:ietf:params:scim:schemas:extension:verkada:access:2.0:User:facilityCode
String
Last updated
Was this helpful?