Azure AD / Microsoft Entra ID SSO
Security permissions and authentication details for signing in to Last9 with Microsoft Azure AD / Entra ID.
Last9 supports signing in with Microsoft Entra ID (formerly Azure Active Directory) using standard OpenID Connect (OIDC) authentication with minimal, user-scoped permissions.
Permissions Requested
Last9 requests the following delegated permissions from Microsoft Graph API:
| Permission | Type | Description | Admin Consent Required |
|---|---|---|---|
email | Delegated | View user’s email address | No |
openid | Delegated | Sign users in (enables OIDC) | No |
profile | Delegated | View user’s basic profile | No |
User.Read | Delegated | Sign in and read user profile | No |
All four are delegated permissions, meaning Last9 acts on behalf of the signed-in user and can only access that user’s own data. None require admin consent.
For official Microsoft documentation, see the Microsoft Graph Permissions Reference.
What Last9 Cannot Access
Last9 does not request any application-level or directory-scoped permissions. This means it cannot:
- Read other users’ profiles (
User.Read.All— not requested) - Access your organization’s directory data (
Directory.Read.All— not requested) - Modify any user or directory data (
User.ReadWrite.All,Directory.ReadWrite.All— not requested) - Read group memberships (
Group.Read.All— not requested)
How to Verify Permissions
In the Microsoft Entra Admin Center
- Sign in to Microsoft Entra admin center
- Go to Identity → Applications → Enterprise applications
- Search for and select “Last9”
- Click Permissions under Security
- Verify only delegated permissions (
email,openid,profile,User.Read) are listed
The Permissions page shows separate Admin consent and User consent tabs. Last9 should only appear under user consent with the four permissions listed above.
Access Control
Your organization retains full control over who can access Last9 through Entra ID SSO.
- You control access: Only users you authorize in Entra ID can sign in to Last9
- Revocation: When you disable or delete a user’s Entra ID account, they cannot initiate new sign-ins to Last9. Existing sessions may remain active until the access token expires (typically ~1 hour) unless Continuous Access Evaluation is enabled
- No standalone accounts: Users authenticate through your identity provider — Last9 does not maintain separate credentials
Conditional Access
Entra ID Conditional Access policies apply to Last9 sign-ins. This includes MFA requirements, location-based restrictions, device compliance, and sign-in risk policies.
Restricting Access to Specific Users
To restrict Last9 to only assigned users, set “Assignment required?” to Yes on the Last9 Enterprise Application. When enabled, only users explicitly assigned to the application can sign in. See Restrict an app to a set of users.
Troubleshooting
If you have questions about Last9’s Entra ID integration or need assistance verifying permissions, please contact us on Discord or Email.