Microsoft Entra ID
Configure SSO and user provisioning with Microsoft Entra ID (Azure AD)
Depending on your use case, Verkada Command has the ability to integrate with Microsoft Entra ID, amongst other Identity Providers [IdPs], in the following capacities:
Security Assertion Markup Language (SAML)
System for Cross-Domain Identity Management (SCIM)
SAML handles the authentication side of things, allowing Microsoft Entra ID to be used to manage access to Command, the same way it is used to manage access to other Software as a Service (SaaS) applications already integrated into your Microsoft Entra ID tenant. This means you can incorporate Command into your existing identity framework and authorize users according to your current policies.
SCIM allows you to leverage your existing users and groups in Microsoft Entra ID and synchronize them with Command. This allows you to retain the current central IdP and configure permissions in Command using your existing users and groups.
Verkada recommends OIDC over SAML for enhanced security and easier configuration. OIDC also enables Enterprise Controlled Encryption.
OIDC Based SSO for Microsoft Entra ID
Verkada Command supports Single Sign-On (SSO) through OpenID Connect (OIDC) with Microsoft Entra ID. This integration allows our users to seamlessly and securely authenticate using their existing Microsoft Entra ID credentials, streamlining access to Command and enhancing overall security.
OIDC is not supported on Desk Station apps.
Enable Enterprise Controlled Encryption (ECE) for enhanced security.
Microsoft Entra ID configuration
Log in to your Microsoft Entra ID portal.
Search for and select App registrations.
Click New Registration.
a. Name the application Verkada SSO OIDC. b. Under Supported account types, select Accounts in this organizational directory only ( only - Single tenant). c. Under Redirect URI, select Single-page application (SPA) as the platform and add the following callback URLs:
https://org-short-name.command.verkada.com/oidc/aad/callback (replace org-short-name in the URI with your Command organization's short-name.)
Verify there is no trailing slash in the callback URI.
Click Register.
Copy and store your Application (Client) ID and Directory (Tenant) ID in a safe place. You will need them to complete the setup in Verkada Command.
On the left, click Manage > Expose an API.
a. Click Add a scope. b. Click Save and continue. c. Enter verkada_ece for the following fields:
Scope name
Admin consent display name
Admin consent description
User consent display name
User consent description
d. Set Who can consent? to Admins and users. e. Click Add scope.
Verkada Command configuration
In Verkada Command, go to All Products > Admin.
In the left navigation, select Login & Access.
Select Single Sign-On Configuration.
Under OIDC Configuration, click Add New.
a. Toggle on Enable. b. (Optional) Toggle on Require OIDC SSO. c. Under Select Provider, select Microsoft Entra ID. d. Under Add Client and Tenant, click :plus:.
In the Client ID field, paste the Client ID you copied from Microsoft Entra ID.
In the Tenant ID field, paste the Tenant ID you copied from Microsoft Entra ID.
Click Done.
e. Under Email Domains, click :plus:.
Enter your domain name present (e.g., @verkada.com).
Click Done.
Click Run Login Test.
A successful login test should redirect to the OIDC configuration page. Once you're logged in, add the domain that you need to whitelist.
Once your domain is added, run the login test again. SSO will not be enabled until this second login test successfully completes.
Once your domain is verified, you should see it successfully validated.
Microsoft Entra ID SAML Integration
Set up SAML in Microsoft Entra ID
Verkada Command is registered as a gallery application and can be found within the Microsoft Entra ID marketplace; in other words, you can leverage it with Microsoft Entra ID Free, Microsoft Entra ID P1, and Microsoft Entra ID P2 licenses.
To get started, you need your client-ID. Learn how to generate it and configure your email domains, then return to this article to complete the remainder of this process.
Add Verkada Command as an enterprise application in your Microsoft Entra ID directory: Go to your Microsoft Entra ID overview page and select Enterprise applications.
At the top of the page, select New Application and search for Verkada Command.
Select Verkada Command and click Create. Be patient as it can take a few minutes to add the application to your Microsoft Entra ID tenant.
Once the page refreshes, you should see a similar menu (as shown below).
On Set up single sign-on, click Get started.
Choose SAML as the single sign-on method.
If necessary, click Edit to further configure your SAML connection.
Configure the following fields. You need to add your client ID to the end of each URL before adding them to Microsoft Entra ID. See example below the note.
a. For Identifier: For US orgs: https://vauth.command.verkada.com/saml/sso For EU orgs: https://saml.prod2.verkada.com/saml/ssoFor AUS orgs: https://saml.prod-ap-syd.verkada.com/saml/sso
b. For Reply URL: For US orgs: https://vauth.command.verkada.com/saml/sso For EU orgs: https://saml.prod2.verkada.com/saml/sso For AUS orgs: https://saml.prod-ap-syd.verkada.com/saml/sso
c. For Sign on URL: For US orgs: https://vauth.command.verkada.com/saml/login For EU orgs: https://saml.prod2.verkada.com/saml/login For AUS orgs: https://saml.prod-ap-syd.verkada.com/saml/sso
To confirm which region you're located, please refer to where your organization was created for Verkada.
Click Save.
On Attributes & Claims, click Edit to be consistent with these attributes:
If you use a different source attribute for email, configure the attributes according to the source attribute you want to use.
On SAML Signing Certificate, import this Federation Metadata XML into Command.
Click Download to save for later.
The next dialogs that appear will contain tools you can use after the integration is finalized.
Continue to Verkada Command to complete the configuration.
Test the SAML connection in Microsoft Entra ID
Once the file is uploaded, in your Microsoft Entra ID, click Test to test the integration. A notification will be sent to all users who have a Command account (invitation to org).
Log in with Sign in as current user. If everything is set up correctly, you should be redirected to the Command platform.
Log in with single sign-on to verify access to Command.
Microsoft Entra ID does not support nested groups for app access at this time. All users must be direct members of groups to be assigned.
Log in via the mobile application
The Android and iOS Command apps support SAML-based login.
Open your Command app.
In the email address field, enter your email and click Next.
You should be redirected to your IdP (Microsoft Entra ID) to complete the login process.
Microsoft Entra ID SCIM Integration
Verkada Command integrates with Microsoft Entra ID using System for Cross-Domain Identity Management (SCIM) for automated user and group provisioning.
SCIM synchronizes users and groups from Microsoft Entra ID directly into Command. This lets you:
Retain Microsoft Entra ID as your central IdP.
Automatically update users and groups in Command as changes occur in Entra ID.
Assign and manage permissions in Command using your existing identity structure.
If your organization uses SCIM, phone numbers can only be provisioned through SCIM. You will not be able to edit your phone number directly in Command.
SCIM in Microsoft Entra ID configuration
Before you configure SCIM in Microsoft Entra ID, you need to generate your secret token in Command.
In Verkada Command, go to All Products > Admin.
Under Org Settings, select Login & Access & Logs > SCIM Users Provisioning.
Click Add Domain, and enter all relevant email domains you plan to use with SCIM.
This generates a SCIM token, which is viewable only once.
a. Click Copy and store the token in a secure place to use later in the configuration. b. Click Refresh to generate a new token if you did not copy your token or it is not visible.
From the Microsoft Entra ID homepage, select Enterprise applications > New application > Create your own application.
In the Create your own application side panel, type the application's name, select the non-gallery application, and click Create.
Under Provision User Accounts, click Get started.
Select Manage > Provisioning.
On the provisioning page:
a. Set the Provisioning Mode to Automatic. b. Set the Tenant URL as:
For US orgs: https://api.command.verkada.com/scim
For EU orgs: https://scim.prod2.verkada.com/scim
For AUS orgs: https://scim.prod-ap-syd.verkada.com/scim
To confirm which region you're located in, refer to where your organization was created for Verkada.
f. Fill in the SCIM token generated in Verkada Command (step 2) as the secret token.
Click Test Connection. You should see a confirmation that the SCIM connection is successful.
Click Save.
Configure attributes for Microsoft Entra ID groups
In the Entra ID portal, click to expand the Mappings dropdown, and select Provision Microsoft Entra ID Groups.
Configure your mappings to match this screenshot of the data table:
The externalId attribute is added by default. Remove this attribute to avoid issues with the configuration.
(Optional) If you need to add a mapping:
a. Click Add New Mapping > select the Source attribute to match the Microsoft Entra ID attribute above. b. Set the Target attribute to match the customappsso attribute above. c. Click OK.
Click Save and confirm changes, if necessary.
At the top of the page, select Provisioning to return to the Provisioning page.
Configure attributes for Microsoft Entra ID users
In the Entra ID portal, click to expand the Mappings dropdown, then select Provision Microsoft Entra ID Users to change the user mappings.
Update your mappings to match the attribute table below.
The Switch attribute under Microsoft Entra ID Attribute is added as an Expression mapping type.
Switch([IsSoftDeleted], "False", "True", "True", "False")
userName
userPrincipalName
active
Switch([IsSoftDeleted], , "False", "True", "True", "False")
title
jobTitle
name.givenName
givenName
name.familyName
surname
phoneNumbers[type eq "work"].value
telephoneNumber
urn:ietf:params:scim:schemas:extension:enterprise:2.0:User:employeeNumber
employeeId
urn:ietf:params:scim:schemas:extension:enterprise:2.0:User:organization
companyName
urn:ietf:params:scim:schemas:extension:enterprise:2.0:User:department
department
urn:ietf:params:scim:schemas:extension:verkada:core:2.0:User:costCenter
costCenter
Source Attribute is the Microsoft Entra ID Attribute, and Target Attribute is the customappsso Attribute. If any of the customappsso attributes are not available as Target Attributes, you may need to add them to your Microsoft Entra ID platform as options. To do so, check the Show advanced options box and click Edit attribute list for customappsso.
SCIM-managed users no longer have the option to edit their phone number in Command; instead, they can only be provisioned via SCIM. On the IDP side, you can set up your attribute mapping such that any field in your IDP instance maps to the phone number field in Command. You can also set it up such that the no field in the IDP maps to the phone number field in Command. However, even in this case, phone numbers remain locked in Command and can only be edited via SCIM.
Click Save to confirm the changes.
At the top, select Provisioning and toggle on Provisioning Status.
Depending on the requirements, adjust the scope to one of the required options:
Sync all users and groups.
Sync only assigned users and groups.
Ensure users and groups are assigned to the enterprise application under Users and Groups. Those assigned are the ones provisioned and present in Command.
Verify that users are assigned to the application. Once the initial provisioning cycle has elapsed:
a. You should see the total number of users and groups that have been provisioned successfully under Overview. b. In Command, you should see these users and groups populated with the associated SCIM Managed tag. These synchronized users and groups can now be used in Command and assigned permissions to control access to the Command platform.
Delete SCIM-managed users from Command
When a SCIM-managed user is deactivated in your identity provider, you can remove the user from Command in two ways:
Delete the user – The account moves to the Deleted Users page but keeps historical records, roles, and permissions.
Permanently remove the user – All roles, credentials, access logs, and associated data are erased. If the user is re-provisioned via SCIM, Command creates a new user record.
You must deactivate the user in your identity provider (IdP) before either deletion option is available in Command.
(Optional) Add access credentials to SCIM users
Log in to your Azure portal.
In the search bar, type and select Enterprise Applications.
Select your Verkada SCIM application.
On the left panel, click Manage > Provisioning.
Expand the Mappings submenu and select Provision Microsoft Entra ID Users.
At the bottom, click Show advanced options > Edit attribute list for customappsso.
a. Add the attributes from the table below. b. Click Save.
Go back to Provision Microsoft Entra ID Users and select Add New Mapping.
a. Use extensionAttributes 1-5 as Source Attributes and map them to the new attributes created for Card Format, Card Number, Card Number Hex, Credential Status, and Facility Code as the target attributes.
Reference Acceptable Card Formats for accepted card formats and their associated facility code, card number, and/or card number hex lengths.
Credential Status can be "active", "deactivated", or "deleted"
Click Save.
b. To sync a department identifier, add a new mapping with your desired source attribute (e.g., department or a custom extension attribute) and set the target attribute to costCenter (urn:ietf:params:scim:schemas:extension:verkada:core:2.0:User:costCenter). This syncs a department ID value to Command.
Attribute table
Name
Type
urn:ietf:params:scim:schemas:extension:verkada:access:2.0:User:cardFormat
String
urn:ietf:params:scim:schemas:extension:verkada:access:2.0:User:cardNumber
String
urn:ietf:params:scim:schemas:extension:verkada:access:2.0:User:cardNumberHex
String
urn:ietf:params:scim:schemas:extension:verkada:access:2.0:User:credentialStatus
String
urn:ietf:params:scim:schemas:extension:verkada:access:2.0:User:facilityCode
String
urn:ietf:params:scim:schemas:extension:verkada:core:2.0:User:costCenter
String
Edit the App Registration
Every SCIM enabled Enterprise Application created on Entra AD typically requires its own App Registration.
In the search bar, type and select App registrations.
Switch to the All Applications tab and search for the name of your Verkada SCIM application.
On Overview, note your App Registration's Application (client) ID and Directory (tenant) ID. You will need these later to configure credentials for your Command application from your app registration.
On the left navigation, click Manage.
a. Under Certificates & secrets:
Click New client secret.
Set the Description to "Verkada SCIM Credentials" and set your preferred certificate expiration date.
Copy and store the value displayed in the Value of the new Client Secret created. This will only be displayed once.
e. Under API Permissions:
Click Add Permissions > Microsoft Graph.
Select Application Permissions and search for "User.ReadWrite.All".
Check the box to assign the permissions.
Click Add Permissions.
To avoid having to manually review and approve all stage changes communicated between Microsoft Entra ID and your Command application, select Grant admin consent for Default Directory.
Refer to this list of credentials for acceptable card formats.
Access and update your credentials
To set the extension attributes and the credential information for a particular user, use the Graph API instructions at: https://learn.microsoft.com/en-us/graph/extensibility-overview.
Setting the credentialStatus attribute to active when setting up a credential for a user is necessary to successfully sync credentials with Command. Where credential status (credentialStatus) is extensionAttribute4.
Example:
Sync External ID to Verkada
The externalId field allows you to assign a persistent, globally unique identifier to your users through Microsoft Entra that Verkada can reference across integrations. This is especially useful for large enterprise environments where users may need to be disambiguated across systems, or where syncing credentials (e.g., access cards) must be tied to a unique identity key. Verkada supports receiving and storing this value as part of its SCIM user schema. The field is case-sensitive and is typically configured to accept a string value from a designated attribute in your Microsoft Entra instance. This feature supports advanced workflows such as custom credential management, employee lifecycle automation, and consistent user mapping across orgs.
Map externalId from Azure to Verkada
To sync a custom externalId value from Microsoft Entra ID (Azure) to Verkada, follow these steps:
Log in to your Azure portal.
In the search bar, type and select Enterprise Applications.
Select your Verkada SCIM application.
On the left panel, click Manage > Provisioning.
Expand the Mappings submenu and select Provision Microsoft Entra ID Users.
Scroll to the bottom and click Show advanced options > Edit attribute list for customappsso.
Add the following new attribute:
urn:ietf:params:scim:schemas:extension:verkada:core:2.0:User:externalId
Type: String
Case-sensitive: Yes
Click Save.
Go back to Provision Microsoft Entra ID Users and click Add New Mapping.
For Source Attribute, select the field from Azure AD where your external ID is stored (e.g., extensionAttribute1, employeeId, etc.).
For Target Attribute, use: urn:ietf:params:scim:schemas:extension:verkada:core:2.0:User:externalId
Click OK and then Save.
Once provisioned, the external_id value will be stored in the user's SCIM record within Verkada. This provides users with a flexible, API-queryable ID that remains unique to their org and fully under their control, without being tied to Verkada's internal identifiers or exposed in the user interface.
Prefer to see it in action? Check out the video tutorial.
Last updated
Was this helpful?