Microsoft Entra ID can be used as the central identity provider for almost any application, even if that application is not pre-integrated in the Microsoft Entra ID App Gallery. While many popular applications are already preconfigured and available in the gallery, organizations often rely on custom or lesser-known SaaS applications that must be integrated manually.
When an application is not available in the gallery, Microsoft Entra ID still supports manual single sign-on (SSO) integration, allowing organizations to enforce centralized authentication, authorization, and security controls.
Why integrate custom SaaS apps with Microsoft Entra ID
By integrating applications with Microsoft Entra ID, applications no longer manage usernames and passwords themselves. Instead, they delegate authentication and authorization to a centralized identity provider.
Enforcing Conditional Access policies, such as location-based access or MFA.
Ensuring consistent authentication behavior across all applications.
Reducing password sprawl and credential reuse.
Allowing users to sign in once and gain access to multiple applications through SSO.
Single sign-on allows a user to authenticate a single time and then be automatically signed in to all applications that trust the same Microsoft Entra directory.
Supported SSO methods for custom SaaS apps
Microsoft Entra ID provides multiple SSO options for applications that are not preconfigured in the gallery. The two primary SSO methods used for custom SaaS apps are:
SAML-based SSO.
OpenID Connect (OIDC)-based SSO.
The choice between these methods depends on how the application was built and which standards it supports.
Microsoft identity platform overview
The Microsoft identity platform provides identity as a service for application developers. It simplifies authentication and authorization by supporting industry-standard protocols and providing SDKs and libraries for common platforms.
Signing in users with Microsoft identities.
Issuing tokens for Microsoft Graph, Microsoft APIs, and custom APIs.
Supporting modern authentication standards such as OAuth 2.0 and OpenID Connect.
Providing open-source libraries to accelerate application development.
From an exam perspective, the Microsoft identity platform is the foundation that enables Entra-based authentication for modern applications.
Authentication and authorization protocol comparison
Understanding protocol differences is critical for choosing the correct SSO method.
OAuth vs OpenID Connect
OAuth is an authorization framework. It determines whether an application is allowed to access a protected resource.
OpenID Connect (OIDC) is an authentication layer built on top of OAuth 2.0. It verifies user identity.
Because OIDC is built on OAuth, the two can be used together. An application can authenticate a user with OIDC and simultaneously receive authorization to access a protected resource using OAuth 2.0 in a single flow.
OAuth vs SAML
OAuth is used for authorization.
Security Assertion Markup Language (SAML) is used for authentication.
OAuth focuses on token-based access to APIs, while SAML focuses on browser-based authentication and federation.
OpenID Connect vs SAML
Both OpenID Connect and SAML are used to authenticate users and enable SSO.
Common in enterprise environments.
Frequently used with Active Directory Federation Services (AD FS).
Often used in legacy or established enterprise applications.
Common in cloud-native applications.
Used by mobile apps, modern web apps, and web APIs.
Preferred for newer application development.
This distinction is commonly tested in scenario-based questions.
Claims inspection and troubleshooting
When integrating a custom application, it is often necessary to inspect the claims issued in tokens.
Microsoft provides ClaimsXRay, a diagnostic tool that allows administrators and developers to inspect claims issued by Microsoft Entra ID, including directory extension claims.
Reference article: https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/claimsxray-in-azuread-with-directory-extension/ba-p/1505737
ClaimsXRay is useful when troubleshooting SSO failures or validating token contents during custom app integration.