# Microsoft Azure

## Azure Configuration

The first step regardless of installation method is to configure your SAML 2.0 identity provider using Microsoft Azure.

**(1)** In Azure, go to Enterprise Applications and Create a new application.

![](/files/Snq7FyGgibzQ9LD6Pdak)

**(2)** Give the Enterprise Application a name, and then select "non-gallery" application.

![](/files/ROxRtVjtDryAEZpJDEF3)

**(3)** Set up Single Sign On with SAML.

![](/files/dPBPAsUzizQfZixoCRoz)

**(4)** Configure for SAML

![](/files/WYQzx0J76Pld0KZsWkbb)

**(5)** Set up the SAML properties to point Azure to your Keeper Connection Manager installation URL:

![](/files/A1i8MvOCbFufIVH7QPRY)

**(6)** To support Azure Group to Keeper Connection Manager User Group mappings, you can add a Group claim by editing the Attributes & Claims then adding a Group Claim.

![](/files/OD9cgwLIt2H3umUEX89O)

![Add a Group Claim](/files/p2Gv8a2MQQAir1VeifRt)

When prompted, you can decide whether the group claim is always sent, or only for specific groups or assigned users.  If unsure, choose all groups.

{% hint style="info" %}
For hybrid environments, if the group originates from on-prem AD, you may need to change the display name of the security group.
{% endhint %}

If you would like to automatically map group assignments in the identity provider to Keeper Connection Manager Groups, ensure that the `saml-group-attribute` parameter is defined to match the Identity Provider Group Attribute. The name of the Group in Keeper Connection Manager needs to match this identifier exactly in order for the mapping to work.

<figure><img src="/files/SfKjVSXkjTD15d9fTitZ" alt=""><figcaption></figcaption></figure>

![](/files/4uvVfxUeRjKuGe9Q3MuV)

{% hint style="info" %}
Azure Group to Keeper Connection Manager Group mapping is unique. KCM will not show a list of the members of a group, however, group member users will have access to any connections that are assigned to the group.
{% endhint %}

**(7)** Assign users and/or groups to the Keeper Connection Manager application, as you would normally do with any SAML connected app.

![Assign Users and Groups](/files/8tfB3M05dZQTqdkm06yI)

**(8)** Copy the URL of the App Federation Metadata and paste it into the prompt on your KCM server.

<figure><img src="/files/Vc1Y08A9dSZtUNTV5lCO" alt=""><figcaption></figcaption></figure>

**(9) Add the KCM Logo**

From the "Properties" screen of the Enterprise Application, upload the KCM logo.  The file can be downloaded below.

{% file src="/files/q9PGNVGgaxVQDsizVpSY" %}
KCM Logo 100x100
{% endfile %}

Here's how the logo will look:

![](/files/33sZEkB0pINplKXIy7Dv)


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.keeper.io/keeper-connection-manager/authentication/authenticating-users-with-saml/microsoft-azure.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.