Microsoft SSO configuration guide

Control how users from your Microsoft tenant join your organisation.

Written By EmuChat

Last updated About 16 hours ago

Microsoft SSO lets people sign in to emu.chat using their Microsoft work or school account, with no separate password required. As an Organisation Administrator, you control how new users from your Microsoft tenant join your emu.chat workspace, what access they receive, and whether admin approval is required.

How Microsoft SSO works

When someone signs in with Microsoft for the first time, emu.chat checks your SSO settings to decide what happens next. Depending on your join mode, that person might be added automatically, placed in a pending queue for approval, or blocked entirely.

Microsoft SSO is included on all plans. Your team can use SSO whether they access emu.chat through Microsoft Teams or the standalone web app.

Configure SSO settings

SSO settings are organisation-level, so changes affect everyone in your workspace.

In the emu.chat sidebar, click Settings.
Select SSO from the workspace section.

You'll see the SSO Settings page with a subtitle: Control how users from your Microsoft tenant join your organisation.

Join modes

The Join mode setting determines what happens when someone from your Microsoft tenant signs in for the first time.

Always allow

Anyone who signs in with a Microsoft account from your tenant is added to your emu.chat organisation automatically. They receive the default role and workspace access you configure.

Choose this when you want open sign-up for everyone in your Microsoft tenant. It is useful for organisations where all Microsoft account holders already have legitimate access.

Require approval

New users can sign in, but they submit a join request instead of being added immediately. An organisation admin must approve the request before the user can access your workspace.

Pending join requests appear on the Users settings page. You can approve or reject each request individually.

Choose this when you want to vet new sign-ups, limit access to specific people, or maintain tighter control over who joins your workspace.

Invite-only

Only people who already have an emu.chat account or a pending invitation can sign in with SSO. New Microsoft accounts from your tenant that aren't already known are blocked.

Choose this when you want to add every user manually, perhaps because you manage a closed team or need precise control over membership.

Disabled

Microsoft SSO sign-in is turned off entirely. Existing users cannot sign in via SSO, and new users cannot start the SSO flow.

Choose this if your organisation wants to stop using Microsoft SSO entirely, or if you need to temporarily suspend all Microsoft sign-ins.

Default role and workspace access

When someone joins through SSO, you can add them to specific workspaces and inboxes automatically. These settings apply to new SSO users when they're approved or when the join mode allows automatic access.

Default workspaces

Select one or more workspaces new SSO users should join automatically. This is useful when you have shared workspaces where most or all staff need access.

If you select workspaces, you can also choose specific inboxes within each workspace. When you pick an inbox, make sure it belongs to the workspace you selected above it.

Sync email from SSO

Enable Sync email from SSO if you want emu.chat to update a user's email address whenever they sign in with Microsoft. This keeps email addresses current if someone changes their primary address in Microsoft Entra ID (formerly Azure AD).

Disable this if you manage email addresses separately in emu.chat and don't want Microsoft sign-ins to overwrite them.

Approve or reject join requests

When your join mode is set to Require approval, new users who sign in with Microsoft submit a join request. You can review and approve or reject these requests.

Go to Settings → Users.
Look for the Pending join requests section or dialog.
For each request, you can:
- Approve: the user is added to your organisation with the default role and workspace access you configured in SSO settings.
- Reject: the user cannot join. They see a rejection message if they try to sign in again.

Approved users receive a notification that their join request was approved and can then access the workspace according to their assigned role and workspaces.

What users experience

First-time sign-in

When someone opens emu.chat for the first time and clicks Sign in with Microsoft, they authenticate using their Microsoft work or school account. What happens next depends on your join mode:

Always allow: They're added to your organisation and land in the app, with the default role and workspace access you configured.
Require approval: They see a message explaining that their request is pending approval and will be notified once an admin reviews it.
Invite-only: If they don't have an existing account or invitation, they see a message that SSO sign-in is not available for their account.
Disabled: They see a message that SSO sign-in is disabled for this organisation.

Subsequent sign-ins

Once someone is a member of your emu.chat organisation, they sign in with Microsoft SSO normally. Your join mode only applies to brand-new users who don't yet have an account in your workspace.

Next steps

Installing emu.chat in Microsoft Teams. Add the app to Teams, sign in, and link a channel to an inbox.