Skip to content

Azure AD SSO Setup

This guide is for IT administrators setting up Azure AD single sign-on for CWLite.

Prerequisites

  • An Azure AD tenant (included with Microsoft 365)
  • Global Administrator or Application Administrator role in Azure AD
  • Access to your CWLite web dashboard as an admin

Step 1: Register the Backend Application

  1. Go to Azure Portal > Azure Active Directory > App registrations
  2. Click New registration
  3. Configure:
    • Name: CWLite Backend
    • Supported account types: Accounts in this organizational directory only (Single tenant)
    • Redirect URI: Select Web and enter https://yourcompany.cwlite.net/azure/callback
  4. Click Register
  5. Note the Application (client) ID and Directory (tenant) ID

Create a client secret

  1. In the app registration, go to Certificates & secrets
  2. Click New client secret
  3. Add a description (e.g., "CWLite Backend") and select an expiry
  4. Click Add and copy the secret value immediately — it won't be shown again

Configure API permissions

  1. Go to API permissions
  2. Click Add a permission > Microsoft Graph > Delegated permissions
  3. Add: User.Read
  4. Click Grant admin consent for your organisation

Step 2: Register the Mobile Application

  1. Go to App registrations > New registration
  2. Configure:
    • Name: CWLite iOS
    • Supported account types: Accounts in this organizational directory only
    • Redirect URI: Select Public client/native and enter msauth.com.cwlite.app://auth
  3. Click Register
  4. Note the Application (client) ID

Configure API permissions

  1. Go to API permissions > Add a permission > Microsoft Graph > Delegated permissions
  2. Add: User.Read
  3. Click Grant admin consent

Step 3: Configure CWLite

  1. Log in to your CWLite web dashboard as an admin
  2. Go to Django Admin (/admin/)
  3. Navigate to Accounts > Auth configs
  4. Create or edit the configuration:
Setting Value
Auth mode azure (or both if you also want local login)
Azure tenant ID Your Directory (tenant) ID from Step 1
Azure client ID Application (client) ID from Step 1 (Backend)
Azure client secret The secret value from Step 1
Azure mobile client ID Application (client) ID from Step 2 (iOS)
  1. Click Save

Note

Changes take effect immediately — no restart required.

Step 4: Test

  1. Web: Open an incognito browser window, go to your CWLite URL, and click "Sign in with Azure AD"
  2. iOS: Open the CWLite app, tap "Sign in with Azure AD", and authenticate with your Microsoft 365 credentials

User Provisioning

When a user signs in with Azure AD for the first time, CWLite automatically:

  • Creates a user account using their Azure AD email
  • Sets their name from Azure AD claims
  • Grants standard user permissions

Administrators can then adjust permissions in the Django admin panel.

Troubleshooting

"AADSTS50011: The redirect URI does not match"

The redirect URI in Azure doesn't match what CWLite is sending. Verify:

  • Backend app: https://yourcompany.cwlite.net/azure/callback
  • iOS app: msauth.com.cwlite.app://auth

"AADSTS700016: Application not found"

The client ID in CWLite's configuration doesn't match the Azure app registration. Double-check the Application (client) ID values.

Users can sign in but have no permissions

New users get standard permissions by default. An administrator needs to grant additional roles via the Django admin panel at /admin/.

Microsoft Intune (Optional)

If your organisation uses Microsoft Intune for mobile device management, CWLite supports automatic enrolment:

  1. In the Intune admin center, configure an App protection policy for CWLite
  2. Users signing in with Azure AD will be automatically enrolled
  3. Intune policies (encryption, PIN requirements, etc.) will be enforced on the CWLite app

No additional CWLite configuration is needed — Intune enrolment happens automatically through the Azure AD sign-in flow.