Configure Microsoft Azure SSO to authenticate to SatisFactory – Help center

Simplify the authentication of your teams to the tool in complete security. Connect SatisFactory to your Microsoft Azure environment to centralize access management and offer fluid authentication to your employees.

In a professional environment where data security is paramount, Single Sign-On (SSO) is an essential standard. This article details the procedure to configure the connection to the SatisFactory platform via your corporate Microsoft account, through Entra ID federation.

Thanks to this integration, your users do not need to remember new credentials to access their dashboards and analyses.

⚠️ This article is dedicated to the configuration of SatisFactory authentication via Microsoft Azure SSO through Entra ID federation. A standard integration is also available for Google SSO.

If you use another identity provider or federation system, specific development will be necessary. We invite you to contact your usual SatisFactory representative to evaluate its feasibility and cost.

Description

The SatisFactory platform relies on its own multi-tenant Microsoft Entra ID application.

The advantage of this architecture lies in the fact that you have absolutely nothing to develop, configure, or host on your side. Your sole responsibility as an administrator is to grant the global consent (Admin consent) in your Microsoft directory. This action, to be performed only once, is sufficient to authorize secure communication with SatisFactory and unlock access for all of your users.

Element	Value
Application (client) ID	3786a7c4-e19d-4ad8-b145-da0df05e9f24
Application name	Feedback (SatisFactory)
Authority	https://login.microsoftonline.com/common (multi-tenant)
Redirect URI	https://feedback.satisfactory.fr or https://feedback.satisfactory.fr/en
Connection protocol	OpenID Connect (OIDC) - Authorization code with PKCE via MSAL.js popup
Required delegated permissions	openid, profile, email, User.Read (Microsoft Graph)
Used tokens	ID token only

💭 To guarantee maximum security, SatisFactory never has access to the passwords of your employees. During a connection attempt, Microsoft only transmits to us an encrypted authentication token (Microsoft ID token). Our system merely validates this token and authorizes access by matching the received email address with the user profile previously created on our platform.

Requirements

A user wishing to connect to SatisFactory via Microsoft Azure Entra ID SSO must:

possess a professional account in your Entra ID tenant
have the "Feedback" enterprise application authorized
have been created on the SatisFactory platform with the same email as the preferred_username / UPN in Entra ID

Grant administrator consent

Depending on the security rules configured on your directory (tenant), it is possible that your users will be blocked during their first connection attempt and encounter the error code "AADSTS65001".

This simply means that the SatisFactory application requires the prior approval of an administrator to authorize SSO.

To unblock the situation, two methods are available to you:

Option 1: Consent via direct approval URL

The consent URL method is the method recommended by SatisFactory; it is the simplest and fastest option to implement.

First, ensure that you are connected to your Microsoft session with an account that has Global Administrator rights.

Then click on the following secure consent link to trigger the request:
https://login.microsoftonline.com/common/adminconsent?client_id=3786a7c4-e19d-4ad8-b145-da0df05e9f24

A standard Microsoft window will open, listing the basic permissions required by SatisFactory to execute.

Click on the "Accept" button to validate the integration for your entire organization.

Option 2: Consent from the Entra portal

If you prefer to perform this action directly from your usual Entra administration interface, or if the direct link from Option 1 is not accessible, here is the procedure to follow:

Connect to the Microsoft administration center at the following address with your administrator credentials: https://entra.microsoft.com

In the sidebar menu, expand "Identity", then "Applications", and click on "Enterprise applications".

In the applications search bar, copy and paste the unique ID of the SatisFactory application: "3786a7c4-e19d-4ad8-b145-da0df05e9f24".

Click on the "Feedback" application that was found to open its settings.

In the left sidebar menu, go to the "Permissions" section, then click on the "Grant admin consent" button.

Confirm the operation in the Microsoft window that opens. Access is now unlocked for your users.

Advanced security settings (optional)

By default, as soon as consent is granted to the SatisFactory application, any employee present in your Microsoft directory (therefore possessing an email address linked to your organization) can attempt to connect to the platform via Microsoft Azure SSO.

If you wish to restrict this access right to a targeted population, you must configure a mandatory assignment directly from your Microsoft Entra portal.

1. Limit access to the platform for certain employees

If you wish to restrict access to the platform via SSO to a specific group (for example, only the Customer Relations team), go to the properties of the "Feedback" application on Microsoft Entra and change the "Assignment required?" option to "Yes". You will then only need to manually assign the authorized users or groups.

⚠️ The activation of the "Assignment required?" option acts solely as a first security filter of the Microsoft infrastructure. However, SatisFactory retains final control over access: a real user account must imperatively have been created beforehand on the SatisFactory platform.

If you assign an employee in Entra but forget to create their account in our platform, they will remain blocked and will encounter an "SSO Error" right after the Microsoft connection window.

2. Apply your conditional access rules (MFA, compliant devices, etc.)

SatisFactory automatically inherits the global security rules of your company. Thus, if your Microsoft directory already requires multi-factor authentication (MFA), a connection via a VPN, or the use of a computer provided by the company to access business applications, these same rules will apply naturally when connecting to SatisFactory.

Known error messages preventing SSO connection

Error code	Source of the error	Solution to the error
AADSTS65001	Need for Entra administrator approval	Grant admin consent to the SatisFactory application on Entra
AADSTS50105	Unassigned user	Assign the user in Microsoft Entra
SSO Error (Platform)	Email address does not match the UPN User does not exist on the SatisFactory platform	Verify that a SatisFactory user account is indeed associated with the email address provided during the SSO connection Verify that the email address used during the SSO connection (especially the domain after the "@") matches what is expected
interaction_in_progress	Popup blocker enabled Superfluous browser extension detected	Allow pop-up windows Disable browser extensions (AdBlock, etc.)

If your attempts are unsuccessful or for any other problem encountered, we invite you to contact SatisFactory Support by providing the details of the error encountered and as much context as possible in order to assist you as quickly as possible.

For further assistance or to report a specific issue, please contact our Support team.