Setup Overview Configuring Single Sign-On (SSO) and Directory Sync between Wizer and Microsoft requires two distinct phases. This guide covers the first phase.
-
Phase 1: Connect your Microsoft Entra ID directory with Wizer.
(Note: While Microsoft has renamed Azure Active Directory to Microsoft Entra ID, some areas within the Wizer interface may still refer to it as "Azure".)
Phase 1: Connect Your Microsoft Entra ID Directory
Follow these steps to authorize Wizer within your Microsoft environment and enable SSO:
1. Log in to the Azure Portal Navigate to the Azure Portal and log in using an account with Directory Administrator privileges.
2. Access Microsoft Entra ID From the Azure Portal dashboard or search bar, locate and select the Microsoft Entra ID service.
3. Copy Your Tenant ID In the left-hand navigation menu of the Entra ID dashboard, click on Properties. Locate your Tenant ID and copy it to your clipboard.
4. Add Your Tenant ID to Wizer Open a new browser tab and log in to your Wizer Admin Panel. Navigate to the SSO settings, paste your copied Tenant ID into the designated field, and click Save.
5. Sign Out of the Wizer Employee App To ensure a clean test of the new login flow, verify that you are completely logged out of the Wizer Learner Console before proceeding.
6. Initiate the SSO Connection Return to the Wizer Admin Panel's SSO configuration tab and click the provided SSO Link. This will automatically redirect you to the Wizer Employee App login page.
7. Sign In On the Wizer login screen, click Sign In.
8. Grant Tenant-Wide Consent You will be redirected to the standard Microsoft login portal. Authenticate with your administrator credentials. When prompted by Microsoft, check the box to "Consent on behalf of your organization" and grant Wizer the necessary tenant-wide permissions.
9. Verify the Connection Once consent is granted, Microsoft will route you back to the Wizer Employee App, where you should now be successfully signed in. Your SSO integration is now active, and users can begin authenticating via Microsoft Entra ID.
10. Review Your Enterprise Application (Optional) During this process, Microsoft automatically generates an Enterprise Application for Wizer in your directory. If you ever need to manage user assignments or app properties, you can find it by navigating to Microsoft Entra ID > Enterprise applications.
Phase 2: Automatic User Provisioning
To automatically sync and manage your users, you will need to configure SCIM. We have a dedicated, step-by-step guide to walk you through this process.
Security Best Practice: Enforcing SSO
By default, even when SSO is active, users can technically bypass it by using the "forgot password" flow to create a local password. Because bypassing SSO undermines the security benefits of centralized authentication, we highly recommend restricting this access.
How to Enforce SSO: As an Admin, you can toggle Enforce SSO within the Wizer UI.
-
When Enabled: Password usage is strictly forbidden for all SSO-assigned users, forcing them to authenticate exclusively through Microsoft Entra ID.
-
Note: Any users not included in your SSO provisioning will remain unaffected and can continue logging in with their standard Wizer passwords.
Managing Multiple Entra ID Tenants
Currently, Wizer connects to one directory tenant per company instance. It is not technically possible to link multiple Entra ID tenants to a single Wizer account.
If your organization operates across multiple tenants, our SSO architecture team recommends the following workarounds:
-
Option 1: Utilize External/Guest Users (Recommended) Manage all core personnel under your primary Entra ID instance. For users in secondary directories, invite them to your primary tenant as external Guest Users (via Entra B2B collaboration) and assign them to the Wizer Enterprise App from there.
-
Option 2: Create a Second Wizer Company You can register a completely separate Wizer company instance and bind your secondary Entra ID tenant to it.
-
Important Caveat: Moving existing users to a new company will reset their training progress. If you need user progress migrated to the new instance, our Support team can perform this manually upon request (
-
-
Option 3: Hybrid Authentication Disable SSO provisioning for users residing in secondary tenants. Your primary tenant users will enjoy seamless SSO, while secondary tenant users will log in using standard Wizer credentials (email and password).
Need Additional Help?
If you run into any issues during your rollout or have questions regarding tenant architecture, please do not hesitate to contact our technical specialists at support@wizer-training.com.