- Getting started
- Data security and compliance
- Organizations
- Authentication and security
- Understanding authentication models
- Configuring the Microsoft Entra ID integration
- Local users password complexity requirements
- Licensing
- About licensing
- Unified Pricing: Licensing plan framework
- Flex: Licensing plan framework
- Activating your Enterprise license
- Upgrading and downgrading licenses
- Assigning licenses to tenants
- Assigning user licenses
- Deallocating user licenses
- Monitoring license allocation
- License overallocation
- Licensing notifications
- User license management
- Tenants and services
- Accounts and roles
- AI Trust Layer
- External applications
- Notifications
- Logging
- Troubleshooting
- Migrating to Automation Cloud

Automation Cloud admin guide
Configuring the Microsoft Entra ID integration
This page provides guidelines on the following operations:
- How to configure Microsoft Entra ID for the integration
- How to manage users and permissions after the integration
- Single sign-on (SSO): Allow users to access Automation CloudTM with their Microsoft Entra ID credentials.
- Simplified user management: Manage access using existing Microsoft Entra ID users and groups.
- Enhanced security: Apply Microsoft Entra ID features such as multifactor authentication, conditional access, and privileged identity management.
- Seamless transition: Migrate from local accounts without disruption, as long as email addresses match.
Keep the following limitations in mind when using Microsoft Entra ID integration:
- Unattended robots and personal access tokens: Microsoft Entra ID requires the user to be present during directory access.
As a result, the following limitations apply:
- Microsoft Entra ID directory user accounts cannot inherit group permissions when running unattended automations or using personal access tokens.
- If you apply access restrictions to Microsoft Entra ID groups, unattended robots cannot access the organization on behalf of users.
- User account management: You can only manage directory users and groups in Microsoft Entra ID. These accounts appear in Automation CloudTM only when you search for them or assign permissions.
- Application custom keys: Microsoft Entra ID integration uses the OIDC protocol but does not support application custom keys
passed through the
appid
query parameter, as described in Microsoft's access tokens documentation.
Before you configure Microsoft Entra ID integration, ensure that you have the following:
- An Automation CloudTM organization that meets one of the following licensing requirements:
- Unified Pricing: Requires an Enterprise or Standard plan.
- Flex: Requires an Enterprise plan, either the Standard or Enterprise tier.
- Administrator permissions in Automation CloudTM
-
One of the following Microsoft Entra ID roles:
-
Any role that can grant administrator consent to Microsoft Entra ID applications
- A Microsoft Entra ID account that uses the same email address as your Automation CloudTM administrator account (for testing)
- A supported version of UiPath Studio and Assistant, as specified in the product lifecycle documentation.
When you enable the Microsoft Entra ID integration, Automation CloudTM automatically links accounts that have matching email addresses. The first time a user signs in with Microsoft Entra ID, Automation CloudTM creates a directory user account and assigns it the same permissions as the matching local account.
This Microsoft Entra ID integration uses Microsoft’s identity platform with a delegated access model based on the hybrid OAuth 2.0 authorization code grant flow.
Configuring the Microsoft Entra integration allows Automation CloudTM to do the following:
- Sign in users with Microsoft Entra ID credentials.
- Read user profiles and group memberships from your Microsoft Entra ID directory.
- Apply access controls based on Microsoft Entra ID group assignments.
To set up the Microsoft Entra ID integration, the following permissions are required:
Microsoft Entra ID permission |
Purpose |
---|---|
email , openid , profile , offline_access , and User.Read | It enables users to sign in with Microsoft Entra ID and allows Automation CloudTM to retrieve email and profile claims in the authorization request. |
User.ReadBasic.All or User.Read.All |
It enables user search in the Microsoft Entra ID directory in Automation CloudTM for sharing resources and assigning permissions. It also allows Automation CloudTM to keep user attributes updated. To use properties such as
City , Job Title , and Department in Automation Hub, the User.Read.All permission is required.
|
GroupMember.Read.All | It enables Automation CloudTM to evaluate group membership and enforce directory group-based access controls. |
To integrate with Microsoft Entra ID, you must configure the Microsoft Entra ID application that represents Automation CloudTM in your Microsoft Entra ID tenant.
You can choose one of the following configuration methods:
- (Recommended) Automated setup: Use the UiPath-managed Microsoft Entra ID application (multi-tenant model) for the following benefits:
- No secrets or certificates to manage.
- Quick and reliable setup.
- UiPath maintains the Microsoft Entra ID application for you.
- Manual setup with a custom Microsoft Entra ID application registration: Use your own Microsoft Entra ID application and manage
its configuration manually, with the following considerations:
- You must create and manage application credentials.
- Credentials expire and require periodic updates.
- If credentials are not updated before they expire, users are blocked from signing in.
Use this method if you want to simplify configuration and avoid managing secrets or certificates. UiPath recommends this approach for most organizations.
If you are a Microsoft Entra ID and Automation CloudTM administrator
If you are both a Microsoft Entra ID administrator and an Automation CloudTM administrator, take the following steps to configure the integration using the UiPath-managed multi-tenant application:- In Automation CloudTM, go to Admin > Security > Authentication Settings > Directory integration and single sign-on (SSO).
- Select Microsoft Entra ID.
- Choose UiPath managed multi-tenant application (Recommended).
- Check I understand & accept that existing users and Microsoft Entra ID users with matching email addresses will have their accounts linked.
- Select Grant consent, then sign in with your Microsoft Entra ID account.
- On the Microsoft Entra ID consent prompt, select Consent on behalf of your organization, then select Accept.
- Select Save to activate the integration.
If you are an Automation CloudTM administrator only
If you do not have administrative privileges in Microsoft Entra ID but are an Automation CloudTM administrator, take the following steps to request admin consent and complete the integration:- In Automation CloudTM, go to Admin > Security > Authentication Settings > Directory integration and single sign-on (SSO).
- Select Microsoft Entra ID.
- Choose UiPath managed multi-tenant application (Recommended).
- Check I understand & accept that existing users and Microsoft Entra ID users with matching email addresses will have their accounts linked.
-
Select Grant consent, then sign in with your Microsoft Entra ID account.
Because you do not have Microsoft Entra ID admin rights, you should see one of the following prompts:
- Request approval, as depicted in the Microsoft documentation: Request admin approval. After your Microsoft Entra ID administrator approves the request, continue to the next step.
- Needs admin approval, as depicted in the Microsoft documentation: Ask your Microsoft Entra ID administrator to take the following steps:
- Navigate to this URL to open the Microsoft Entra ID consent prompt.
- Select Consent on behalf of your organization, then Accept.
- After you receive confirmation that admin consent was granted, return to Automation CloudTM and repeat steps 1 through 5.
- A successful sign-in indicates that the integration is configured correctly.
- If the sign-in fails, ask your Microsoft Entra ID administrator to verify that consent was granted properly.
- Select Save to activate the integration.
If you prefer to configure your own Microsoft Entra ID application instead of using the UiPath managed multi-tenant application, take the following steps. This option requires managing your own credentials and maintaining them over time.
Configuring Microsoft Entra ID
As a Microsoft Entra ID administrator, you can configure the application using either a PowerShell script or the Microsoft Entra admin center.
Option A: Using the PowerShell scripts
If you want to automate the setup process with minimal manual configuration, take the following steps:
- Download the Microsoft Entra ID configuration scripts.
- Run
configAzureADconnection.ps1
to automatically set up your Entra tenant. - Run
testAzureADappRegistration.ps1
to verify the setup.
Option B: Using the Microsoft Entra admin center
If you prefer to manually configure the application registration through the user interface, take the following steps:
- Create the app registration:
- Go to Microsoft Entra admin center > App registrations > New registration.
- Set the name to Automation Cloud or your preferred name.
- Choose Accounts in this organizational directory only.
- Set the Redirect URI to
https://cloud.uipath.com/identity_/signin-oidc
.
- Configure authentication:
- Navigate to Authentication.
- Add the following redirect URI:
https://cloud.uipath.com/portal_/testconnection
. - Under Implicit grant and hybrid flows, select ID tokens. This integration leverages the Microsoft hybrid flow.
- Save your changes.
- Add token claims:
- Go to Token configuration > Add optional claim.
- Select ID as the token type.
-
Choose the following claims:
family_name
,given_name
, andupn
.These claims are used to update user information upon sign-in.
- Save your changes.
- Set API permissions:
- Go to API permissions > Add permission.
- Select Microsoft Graph, then add the following:
- OpenID permissions:
email
,openid
,offline_access
,profile
. - User permissions:
User.Read
,User.ReadBasic.All
, orUser.Read.All
. - Group permissions:
GroupMember.Read.All
.
- OpenID permissions:
- Select Grant admin consent for (your organization). This step allows the application to access data for all users without requiring individual consent prompts. For more information, refer to Microsoft documentation.
-
Create credentials:
You can use either a client secret or a certificate:
- To create a client secret:
- Go to Certificates & secrets.
- Select New client secret, then save the secret value.
- To create a certificate:
- Open a new tab and go to Azure Key Vault.
- Create a certificate:
- Subject:
CN=uipath.com
- Content type:
PEM
- Maximum size: Less than 10 KB
- Subject:
- Download the certificate in
.pem
format. - Open the
.pem
file in a text editor and locate the section between BEGIN CERTIFICATE and END CERTIFICATE. - Create a new
.pem
file that contains only this certificate section. - In the Microsoft Entra admin center, go to Certificates & secrets, and upload the new
.pem
file. - Keep the
.pem
file. You will need it to complete the integration in Automation CloudTM.
Note:Most credential types eventually expire. To prevent user sign-in issues, update the configuration before credentials expire.
To avoid this overhead, use the automated setup with the UiPath-managed Microsoft Entra ID application.
- To create a client secret:
- Collect the following integration details and share them with your Automation CloudTM administrator:
- Application (client) ID
- Directory (tenant) ID
- Client secret or certificate
Activating the integration in Automation CloudTM
As an Automation CloudTM administrator, use the values provided by the Microsoft Entra ID administrator to complete the setup in Automation CloudTM by taking the following steps:- Go to Admin > Security > Authentication Settings > Directory integration and single sign-on (SSO).
- Select Microsoft Entra ID.
- Choose Custom application registration ID and secret.
- Enter the following values provided by your Entra ID administrator:
- Directory (tenant) ID
- Application (client) ID
- Client secret or certificate
- Check I understand & accept that existing users and Microsoft Entra ID users with matching email addresses will have their accounts linked.
- Select Test Connection, then sign in with your Microsoft Entra ID account.
- A successful sign-in indicates that the integration has been configured correctly.
- If the sign-in fails, ask your Microsoft Entra ID administrator to verify the configuration and try again.
- Select Save to activate the integration.
To allow directory users to inherit permissions based on their group membership, add the relevant Microsoft Entra ID groups to local groups in Automation CloudTM.
For example, add your UiPath Admins Entra ID group to the Administrators group in Automation CloudTM.
We recommend removing individual user permissions and relying on directory group membership to simplify permission management as your organization scales.
To ensure users inherit permissions assigned through Microsoft Entra ID group membership in Automation CloudTM, Studio, and Assistant, take the following steps:
For Automation CloudTM:
Ask users to sign out and sign in using their directory accounts in one of the following ways:
- Navigate to your organization-specific URL: https://cloud.uipath.com
/{organizationName}/
. - Or select Continue with Enterprise SSO on the main login page.
For Studio and Assistant:
- Open UiPath Assistant.
- Navigate to Preferences > Orchestrator Connection.
- Sign out of the current session.
- Set the connection type to Service URL.
- Enter the organization URL: https://cloud.uipath.com
/{organizationName}/
. - Sign in using your Microsoft Entra ID account.
We recommend removing local user accounts to ensure consistency and simplify the user experience.
Users who continue signing in with local accounts instead of their directory accounts face the following limitations:
- They do not inherit directory group permissions.
- They cannot search for or assign users or groups from the Microsoft Entra ID directory.
The following table summarizes the expected behavior for linked local and directory accounts:
Capability | Linked local user account | Linked directory user account |
---|---|---|
Inherit permissions assigned directly to the user | YES | YES |
Inherit permissions assigned to directory groups | NO | YES |
Search for and assign directory users and groups permissions or resources in Automation CloudTM | NO | YES |
By default, all users in your Microsoft Entra ID tenant can access your Automation CloudTM organization. To restrict access to specific users or groups, take the following steps:
- In the Microsoft Entra admin center, go to the application you created for the integration in Step 2: Configuring the Microsoft Entra ID integration.
- Go to Enterprise applications > Properties.
- Set User assignment required? to Yes.
- In Users and groups, assign the users or groups who should have access.
Use Microsoft Entra ID Conditional Access policies to restrict access based on the following criteria:
- Network location (for example, corporate network only)
- Device compliance
- Risk level
For details on how to configure these policies, see the Microsoft documentation on Conditional Access.
For Microsoft Entra ID groups used to manage UiPath admin access, implement the following access management practices:
- Enable Privileged Identity Management (PIM) in Microsoft Entra ID.
- Configure just-in-time access and approval workflows.
- Set up regular access reviews to validate membership and permissions.
For configuration guidance, refer to the Microsoft documentation on Privileged Identity Management.
After the integration, users can sign in with their Microsoft Entra ID accounts and retain their existing permissions. If local user accounts are still active, both sign-in methods remain available.
To sign in with a directory account, users can do one of the following:
- Go to the organization-specific URL:
https://cloud.uipath.com
{organizationName}/
- On the main login page, select Continue with Enterprise SSO.
If you signed in using a local user account instead of your directory account, you will not be able to search for users or groups in Automation CloudTM.
To understand the differences between local and directory accounts, refer to Phasing out local accounts.
To resolve the issue, ensure that you are signed in with your Microsoft Entra ID account.
What Microsoft Entra ID attributes are mapped to Automation Cloud directory user accounts, and when are they updated?
Automation Cloud™ maps only a limited set of Microsoft Entra ID attributes to directory user accounts. The following table summarizes the available attributes.
All user attributes are updated during sign-in and when users are searched or assigned access to resources in Automation CloudTM.
Automation Cloud attributes |
Microsoft Entra ID attributes |
Purpose |
---|---|---|
Username | user.userPrincipalName | Unique identifier. This property is required when a user is created, and it cannot be cleared during updates. |
Display name | user.displayName | The user’s full name, typically a combination of first and last name. This property is required when a user is created, and it cannot be cleared during updates. |
First name | user.givenName | The user’s first name. |
Last name | user.surName | The user’s last name. |
user.Mail | The user’s email address This property is required when a user is created, and it cannot be cleared during updates. | |
Job title1 | user.JobTitle | The user's job title. |
Department1 | user.Department | The user’s department. |
City1 | user.City | The user’s city. |
Company name1 | user.CompanyName | The user’s company name. |
1Automation Hub is the only service that leverages the City, Job Title, Department, and Company name values from Microsoft Entra ID. If you require these attributes, you must request for a higher privileged permission, as documented in Configuring the Microsoft Entra ID integration.
- Re-invite the local user accounts.
- Migrate all directory group–based permissions to direct assignments on the corresponding local accounts.
- Ask users to sign out and then sign in with their local user account.
Why does the integration use the Microsoft Entra ID's hybrid OAuth 2.0 authorization code grant flow?
- Getting started
- Benefits
- Limitations and considerations
- Before you begin
- Step 1: Preparing your organization for account linking
- Step 2: Configuring the Microsoft Entra ID integration
- Configuration methods
- Automated setup with UiPath-managed Microsoft Entra ID application (Recommended)
- Manual setup with custom Microsoft Entra ID application registration
- Step 3: Using and verifying the integration
- Step 4: Completing the transition
- Step 4.1: Configuring group permissions
- Step 4.2: Migrating existing users
- Step 4.3: Phasing out local accounts
- Advanced configuration
- Restricting access to specific users
- Implementing network restrictions
- Managing privileged access
- FAQs
- What changes for my users after the integration?
- Why can I not search for users or groups after configuring the integration?
- Do I need to reassign permissions?
- What Microsoft Entra ID attributes are mapped to Automation Cloud directory user accounts, and when are they updated?
- How quickly do Microsoft Entra ID group membership changes apply?
- Can I revert to local accounts after integration?
- Can I migrate from Microsoft Entra ID integration to SAML integration?
- Why does the integration use the Microsoft Entra ID's hybrid OAuth 2.0 authorization code grant flow?