Read FAQ
Bitrix24 Support
Registration and Authentication
How to start
My Profile
CoPilot - AI in Bitrix24
Tasks and Projects
Contact Center
Sales Center
CRM Analytics (beta)
BI Builder
Sales Intelligence
Inventory Management
Online Store (beta)
CRM + Online Store
CRM Store (beta)
e-Signature for HR
Knowledge base (beta)
Desktop App
General questions
Bitrix24 On-Premise
Log In
Your Bitrix24
Authorize to enter
your company's Bitrix24.


Configure single sign-on for Bitrix24 users

We have added the ability to create a single sign-on system for Bitrix24 enterprise plans.

Now you can quickly add all colleagues to Bitrix24 account and manage their access from Microsoft Azure Active Directory. Employees will log in to Bitrix24 without entering a password.

To connect single sign-on, you need to perform several steps.

First, the administrator needs to run the setup in Bitrix24, register the application with Azure AD, and configure SSO and SCIM.

After that, employees will be able to use their Azure AD accounts to log in to Bitrix24.

What is Microsoft Azure Active Directory, SSO and SCIM:

  • Microsoft Azure Active Directory (Azure AD) is a system for managing access to applications and services in the cloud. You can set up a single sign-on entry point for users so that they can access multiple applications and services from a single account.

    Read more information here.

  • Single sign-on (SSO) is a technology that allows users to log in to several different applications or sites. Employees do not need to remember passwords for each application. They can quickly access services using just one name and one password.

    Read more information here.

  • System for Cross-domain Identity Management (SCIM) is a standard protocol that allows you to manage user accounts and their access to resources in applications and systems. With SCIM, administrators can quickly and easily create, modify, and delete user accounts and manage access to resources in applications and systems.

    Read more information here.

We will consider all the steps to set up single sign-on:

During the setup, follow the instructions, so that employees do not lose access to Bitrix24 after enabling SSO. We recommend that you test the single sign-on system beforehand. To do this, create a free Bitrix24 and configure SSO there.

Configure single sign-on for employees

Open Bitrix24 profile and click the Security tab - SSO and SCIM - Configure now.

Only the Bitrix24 administrator can configure a single sign-on. Ensure your account administrators either are Bitrix24 partners or have a corporate email on Azure Active Directory.

When a user is deactivated, it signifies their dismissal from your account. Activating a user corresponds to hiring them in Bitrix24. If you dismiss an administrator, they will lose their admin rights. You will need to re-grant them if you decide to rehire this user.

Create a SAML application in the Microsoft Azure and configure ACS URL / SP Entity ID

Go to your Microsoft Azure account or create a new one. Open the Azure Active Directory section.

Go to the Enterprise applications and click New Application.

Create your own application, specify a name, select the Integrate any other application you don't find in the gallery (Non-gallery) option and click Create.

When the application is created, go to the Assign users and groups section.

Click Add user/group and specify yourself as a user.

Open your profile and make sure that you have your email address listed in the Contact info section. Otherwise, you may have problems logging in to the account.

Read more information in the article: Add or delete users using Azure Active Directory.

Then go to the single sign-on section.

Select the SAML single sign-on method.

Click Edit in the SAML Basic Configuration block.

Then open the Bitrix24 account and copy the ACS URL and SP Entity ID fields.

Go back to Microsoft Azure and add the ACS URL value into the Reply URL (Assertion Consumer Service URL) field and SP Entity ID into the Identifier (Entity ID) field. Then click Save.

Then go back to the Bitrix24 account and click Continue.

Enter the service URL and run validation

Copy the App Federation Metadata URL field on the Microsoft Azure side.

Enter the App Federation Metadata URL for Bitrix24 to synchronize all data for proper SSO operation and click the Check now button.

The Connection established message will appear. If you configure SSO and SCIM in the incognito mode or in a different browser, you will need to re-enter Microsoft Azure.

Possible errors

You cannot log in

If you get this error during the check, make sure that you have added yourself as an application user.

Checking employee email domains

You should configure synchronization of users from Microsoft Azure. Copy the Microsoft Azure service link and the Unique Token.

Open the Provision User Accounts tab in the app.

Select Automatic Provisioning Mode and enter the administrator credentials.

Use data from Bitrix24 for the Tenant URL and Secret Token fields.

After that, click the Test Connection button and Save the settings.

Select Edit attribute mappings in the Manage provisioning section.

Disable Provision Azure Active Directory Groups and enable Provision Azure Active Directory Users in the Mappings section.

Remove unnecessary fields in the user settings.

Click the Add New Mapping button to add a new objectId field.

Save the changes.

Return to the Provision User Accounts section and click the Start Provisioning button to enable synchronization and automatically add new users to the account.

Microsoft Azure synchronizes new users every 40 minutes. If you need to add a new user to the account urgently, click Provision on Demand and select the user.

Go back to the Bitrix24 account, enter domains to check and start checking.

Domains should be corporate, and employees should be linked to them. You can view the primary domain in Microsoft Azure on the main service page. If some emails do not have the corporate domain, such users will not be able to log in to the account when single sign-on is enabled.

You may see a notification that some employees have emails not in the corporate domain. In this case, you need to tell employees in advance about the new single sign-on system and correct emails. To do this, click the View button.

You will see a list of all employees who need to correct their emails. Click Edit to open the profile and edit the email. Click the Allow button, if you are sure that this employee no longer works with you and does not need access to the account.

When you change the email domain, click Next.

Select a department to add new employees to when you create new profiles in Microsoft Azure.

Configure mobile platforms: iOS and Android

At this step, you need to configure the ability to log in to Bitrix24 via the mobile application. First, copy the Bundle ID field.

Then go back to Microsoft Azure, open the App registrations section - All Applications, and open your app.

Go to the Authentication section, click Add a platform, and select iOS or macOS.

Fill in the Bundle ID field and click Configure.

Then copy the Redirect URI.

Go back to the Bitrix24 account, fill in the Redirect URI field and click Continue.

Copy the Package name and Signature hash fields. Open Microsoft Azure and repeat the steps to configure the Android app.

Fill in the Packet name and Signature hash fields with data from Bitrix24 and click Configure.

Copy the MSAL Configuration field.

Go back to the Bitrix24 account and paste the data from AzureAD into the MSAL Configuration field.

Test single sign-on and enable it for all employees

To make sure that the single sign-on works correctly, perform a self-check in your browser according to the instructions.

First, open the link in the incognito mode.

If you open the link in the next window, you will see an error.

Note that Bitrix24 has been migrated to SSO and log in with the new data. You will see a message that the test was successful.

You can enable single sign-on for all employees or cancel the setting.

Before enabling single sign-on for all employees, be sure to tell them about the new single sign-on system. Send detailed instructions by email so that once SSO is enabled, every employee knows how to sign in.

Once you enable SSO, you cannot disable it on your own. So if you need to disable SSO, we recommend that you contact technical support for help.

Was this information helpful?
Integration specialist assistance
That's not what I'm looking for
Complicated and incomprehensible text
The information is outdated
It's too short. I need more information
I don't like the way this tool works
Go to Bitrix24
Don't have an account? Create for free
Related articles
How to disable single sign-on