# Configure Azure Active Directory with Frontline

## Create an application

In the [Microsoft Azure Portal](https://portal.azure.com/), select or search for *Azure Active Directory,* then select **Enterprise Applications** from the left navigation bar.

![Navigation menu with Enterprise applications highlighted.](https://docs-resources.prod.twilio.com/b7af115b0af3c18b25053f5cfae72efab3c79c6402920be77dc840b8c862edde.png)

Select **+** **New Application** and choose **Create your own application**. Give your Application a name.

![Text box with 'FrontlineSSO Setup' entered for app name.](https://docs-resources.prod.twilio.com/062cbff595f8d067ac67c93447179bd55b24459cc41d06a06245ace95940a69e.png)

Click the **Create** button.

## Configure your application

Once your application has been created, select **Single sign-on** from the Application menu and pick **SAML** as the sign-on method.

![Select SAML for secure authentication in single sign-on setup.](https://docs-resources.prod.twilio.com/af20efb8aeba82f218443bba9221cb724ce4e0ac13104ae66146e0b04d5b5b2f.png)

Select **Basic SAML Configuration** and click **Edit**.

![Basic SAML configuration with required fields for Identifier and Reply URL.](https://docs-resources.prod.twilio.com/305269d4e3e2a1e1fd072af2bc8f900d0cd83886b3603696a441e55781210f96.png)

Edit settings as follows:

* Set your **Identifier** (Entity ID) to `https://iam.twilio.com/v2/saml2/metadata/JBxxx`. Remember to replace `JBxxx` with your Twilio Realm SID, which you can find on the [Frontline Console SSO configuration page](https://www.twilio.com/console/frontline/sso)
* Set your **Reply URL** (Assertion Consumer Service URL) to `https://iam.twilio.com/v2/saml2/authenticate/JBxxx`. Remember to replace `JBxxx` with your Twilio Realm SID, which you can find on the [Frontline Console SSO configuration page](https://www.twilio.com/console/frontline/sso)

![Basic SAML configuration with fields for Identifier and Reply URL, including default Twilio URLs.](https://docs-resources.prod.twilio.com/d438d5ac24dc1d12d8fbcf586e6a9a7fe6054fc45e24c3112caff1db9454e1f3.png)

Click **Save.**

Under point 3 - **SAML Signing Certificate**, click edit and change the Signing Option to **Sign SAML response and assertion**. Leave **SHA-256** as the Signing Algorithm.

![SAML certificate details with download links and FrontlineSSO setup for Azure AD.](https://docs-resources.prod.twilio.com/59955d51f8f02687e762aa28b09bcadcc43782be28343b0789fbfe917bd7bd33.png)

Click **Save**.

## Configure Claims

From the **Enterprise Applications** section of the Azure website, click the FrontlineSSO Setup app and click the **Single Sign-On** heading in the left navigation bar, then click **Edit** on **Attributes & Claims**.

Add the following claims using **Attributes** as the source.

![Table showing required claim 'user.mail' and additional claim 'roles' with values.](https://docs-resources.prod.twilio.com/d7ad78edee5521424179546fbe52bdfa6c303bf87d2a6107d3a53edf747ac543.png)

Click **Save**.

## Save Application information and copy Application details

![SAML Signing Certificate and setup information.](https://docs-resources.prod.twilio.com/13cd386bfccdce65a0c7fb4dc498c99845ea0b70d1f9f1e4e230f9b808190f3b.png)

1. Download the Base64 Certificate - this will be added to the Twilio Frontline Console as **X.509** **Certificate**.
2. Make a note of the **Login URL** - this is the **Single Sign-On URL** in the Frontline Console.
3. Make a note of the **Azure AD identifier** - this is the **Identity Provider Issuer** in the Frontline Console.

## Configure roles

In **Azure Active Directory**, navigate to **App Registrations > All applications**. Click on your app (i.e. FrontlineSSO Setup) and go to the **App roles** heading in the left navigation bar.

![FrontlineSSO Setup menu with App roles highlighted.](https://docs-resources.prod.twilio.com/2d4d59a202c7a570ef7a8c3cbc253f738e3f4fdd8c83f8640632ab79f3ea3516.png)

Click the **User** display name and add the Frontline-specific app role.

![Table showing app roles with display names, descriptions, member types, values, IDs, and states.](https://docs-resources.prod.twilio.com/5fa30a92b0ceaa5db806dc3bf9075c568c4e0621e282c060d380a29448ac2219.png)

Replace the display name with **Agent**, select **Users/Groups** as allowed member types, add **agent** as a value and **a Frontline user** as a description.

Click on the checkbox to enable this App role. Click **Apply** to save the changes.

![Form to edit app role with fields for display name, member types, value, and description.](https://docs-resources.prod.twilio.com/6f732680e06786d1dca4f8b4235396e7213127a7cb3033419bc19497b0352b53.png)

## Ensure Users in the Directory are assigned to the Application

Navigate back to your Application Overview page, and select **Users and Groups**. Click **+ Add user/group** section.

In the Add Assignment page, click **Users and groups** and select the user you want to assign to the application. Click **Select**.

Then, click **Select a role** and click on **agent.** Next, click the Select and Assign button.

![User list showing display name, object type, and assigned role as agent.](https://docs-resources.prod.twilio.com/a5743e69e77190e6c1d8e4a5a863c68e14255eb5797ef8013a96facf53f02f3b.png)

Please ensure that you have users assigned to your Application.

## Configure Frontline with your new SAML credentials

Use the details gathered in the [Save Application information and copy details](/docs/frontline/sso/azure-ad#save-application-information-and-copy-application-details) section and add them to your SSO configuration on the [Frontline Configure single sign-on page](https://console.twilio.com/us1/develop/frontline/manage/single-sign-on?frameUrl=%2Fconsole%2Ffrontline%2Fsso%3Fx-target-region%3Dus1) in the Twilio Console.

![Form to configure single sign-on for Twilio Frontline with fields for Workspace ID, Realm SID, SSO URL, and X.509 Certificate.](https://docs-resources.prod.twilio.com/f243076913493b0fe0d38afddbe11e3514c8f68716ed50c48d208584d7ca66e2.png)

Now, you should be able to log into Frontline using Azure Active Directory (Azure AD) as the Identity provider 🎉