automation-cloud

latest

false

Automation Cloud admin guide

Last updated Jul 17, 2025

Configuring the Microsoft Entra ID integration

This page provides guidelines on the following operations:

How to configure Microsoft Entra ID for the integration
How to manage users and permissions after the integration

Getting started

Benefits

Integrating Microsoft Entra ID integration with Automation Cloud^TM offers the following benefits:

Single sign-on (SSO): Allow users to access Automation Cloud^TM with their Microsoft Entra ID credentials.
Simplified user management: Manage access using existing Microsoft Entra ID users and groups.
Enhanced security: Apply Microsoft Entra ID features such as multifactor authentication, conditional access, and privileged identity management.
Seamless transition: Migrate from local accounts without disruption, as long as email addresses match.

Limitations and considerations

Keep the following limitations in mind when using Microsoft Entra ID integration:

Unattended robots and personal access tokens: Microsoft Entra ID requires the user to be present during directory access. As a result, the following limitations apply:
- Microsoft Entra ID directory user accounts cannot inherit group permissions when running unattended automations or using personal access tokens.
- If you apply access restrictions to Microsoft Entra ID groups, unattended robots cannot access the organization on behalf of users.
User account management: You can only manage directory users and groups in Microsoft Entra ID. These accounts appear in Automation Cloud^TM only when you search for them or assign permissions.
Application custom keys: Microsoft Entra ID integration uses the OIDC protocol but does not support application custom keys passed through the appid query parameter, as described in Microsoft's access tokens documentation.

Before you begin

Before you configure Microsoft Entra ID integration, ensure that you have the following:

An Automation Cloud^TM organization that meets one of the following licensing requirements:
- Unified Pricing: Requires an Enterprise or Standard plan.
- Flex: Requires an Enterprise plan, either the Standard or Enterprise tier.
Administrator permissions in Automation Cloud^TM
One of the following Microsoft Entra ID roles:
- Cloud Application Administrator
- Application Administrator
- Any role that can grant administrator consent to Microsoft Entra ID applications
A Microsoft Entra ID account that uses the same email address as your Automation Cloud^TM administrator account (for testing)
A supported version of UiPath Studio and Assistant, as specified in the product lifecycle documentation.

Step 1: Preparing your organization for account linking

When you enable the Microsoft Entra ID integration, Automation Cloud^TM automatically links accounts that have matching email addresses. The first time a user signs in with Microsoft Entra ID, Automation Cloud^TM creates a directory user account and assigns it the same permissions as the matching local account.

Important: Before you enable the Microsoft Entra ID integration, remove any inactive users from Automation Cloud^TM. This helps prevent permission escalation if those email addresses are reassigned to different users in your organization.

Step 2: Configuring the Microsoft Entra ID integration

This Microsoft Entra ID integration uses Microsoft’s identity platform with a delegated access model based on the hybrid OAuth 2.0 authorization code grant flow.

Configuring the Microsoft Entra integration allows Automation Cloud^TM to do the following:

Sign in users with Microsoft Entra ID credentials.
Read user profiles and group memberships from your Microsoft Entra ID directory.
Apply access controls based on Microsoft Entra ID group assignments.

To set up the Microsoft Entra ID integration, the following permissions are required:

Microsoft Entra ID permission	Purpose
`email`, `openid`, `profile`, `offline_access`, and `User.Read`	It enables users to sign in with Microsoft Entra ID and allows Automation Cloud^TM to retrieve email and profile claims in the authorization request.
`User.ReadBasic.All` or `User.Read.All`	It enables user search in the Microsoft Entra ID directory in Automation Cloud^TM for sharing resources and assigning permissions. It also allows Automation Cloud^TM to keep user attributes updated. To use properties such as `City`, `Job Title`, and `Department` in Automation Hub, the `User.Read.All` permission is required.
`GroupMember.Read.All`	It enables Automation Cloud^TM to evaluate group membership and enforce directory group-based access controls.

Configuration methods

To integrate with Microsoft Entra ID, you must configure the Microsoft Entra ID application that represents Automation Cloud^TM in your Microsoft Entra ID tenant.

You can choose one of the following configuration methods:

(Recommended) Automated setup: Use the UiPath-managed Microsoft Entra ID application (multi-tenant model) for the following benefits:
- No secrets or certificates to manage.
- Quick and reliable setup.
- UiPath maintains the Microsoft Entra ID application for you.
Manual setup with a custom Microsoft Entra ID application registration: Use your own Microsoft Entra ID application and manage its configuration manually, with the following considerations:
- You must create and manage application credentials.
- Credentials expire and require periodic updates.
- If credentials are not updated before they expire, users are blocked from signing in.

Automated setup with UiPath-managed Microsoft Entra ID application (Recommended)

Use this method if you want to simplify configuration and avoid managing secrets or certificates. UiPath recommends this approach for most organizations.

If you are a Microsoft Entra ID and Automation Cloud^TM administrator

If you are both a Microsoft Entra ID administrator and an Automation Cloud^TM administrator, take the following steps to configure the integration using the UiPath-managed multi-tenant application:

In Automation Cloud^TM, go to Admin > Security > Authentication Settings > Directory integration and single sign-on (SSO).
Select Microsoft Entra ID.
Choose UiPath managed multi-tenant application (Recommended).
Check I understand & accept that existing users and Microsoft Entra ID users with matching email addresses will have their accounts linked.
Select Grant consent, then sign in with your Microsoft Entra ID account.
On the Microsoft Entra ID consent prompt, select Consent on behalf of your organization, then select Accept.
Select Save to activate the integration.

If you are an Automation Cloud^TM administrator only

If you do not have administrative privileges in Microsoft Entra ID but are an Automation Cloud^TM administrator, take the following steps to request admin consent and complete the integration:

In Automation Cloud^TM, go to Admin > Security > Authentication Settings > Directory integration and single sign-on (SSO).
Select Microsoft Entra ID.
Choose UiPath managed multi-tenant application (Recommended).
Check I understand & accept that existing users and Microsoft Entra ID users with matching email addresses will have their accounts linked.
Select Grant consent, then sign in with your Microsoft Entra ID account.

Because you do not have Microsoft Entra ID admin rights, you should see one of the following prompts:
- Request approval, as depicted in the Microsoft documentation: Request admin approval. After your Microsoft Entra ID administrator approves the request, continue to the next step.
- Needs admin approval, as depicted in the Microsoft documentation: Ask your Microsoft Entra ID administrator to take the following steps:
  1. Navigate to this URL to open the Microsoft Entra ID consent prompt.
  2. Select Consent on behalf of your organization, then Accept.
After you receive confirmation that admin consent was granted, return to Automation Cloud^TM and repeat steps 1 through 5.
- A successful sign-in indicates that the integration is configured correctly.
- If the sign-in fails, ask your Microsoft Entra ID administrator to verify that consent was granted properly.
Select Save to activate the integration.

Note: If you use Automation Hub and want to populate the City, Job Title, and Department fields from Microsoft Entra ID, request additional permissions. Ask your Microsoft Entra ID administrator to grant admin consent using an elevated admin consent URL that includes the required scopes.

Manual setup with custom Microsoft Entra ID application registration

If you prefer to configure your own Microsoft Entra ID application instead of using the UiPath managed multi-tenant application, take the following steps. This option requires managing your own credentials and maintaining them over time.

Important: Credentials created through manual setup will expire periodically. You must renew them before expiration to avoid service disruptions. To reduce this operational overhead, consider using the automated setup with UiPath managed Entra ID application.

Configuring Microsoft Entra ID

As a Microsoft Entra ID administrator, you can configure the application using either a PowerShell script or the Microsoft Entra admin center.

Option A: Using the PowerShell scripts

If you want to automate the setup process with minimal manual configuration, take the following steps:

Download the Microsoft Entra ID configuration scripts.
Run configAzureADconnection.ps1 to automatically set up your Entra tenant.
Run testAzureADappRegistration.ps1 to verify the setup.

Option B: Using the Microsoft Entra admin center

If you prefer to manually configure the application registration through the user interface, take the following steps:

Create the app registration:
1. Go to Microsoft Entra admin center > App registrations > New registration.
2. Set the name to Automation Cloud or your preferred name.
3. Choose Accounts in this organizational directory only.
4. Set the Redirect URI to https://cloud.uipath.com/identity_/signin-oidc.
Configure authentication:
1. Navigate to Authentication.
2. Add the following redirect URI: https://cloud.uipath.com/portal_/testconnection.
3. Under Implicit grant and hybrid flows, select ID tokens. This integration leverages the Microsoft hybrid flow.
4. Save your changes.
Add token claims:
1. Go to Token configuration > Add optional claim.
2. Select ID as the token type.
3. Choose the following claims: family_name, given_name, and upn.
  
  These claims are used to update user information upon sign-in.
4. Save your changes.
Set API permissions:
1. Go to API permissions > Add permission.
2. Select Microsoft Graph, then add the following:
  - OpenID permissions: email, openid, offline_access, profile.
  - User permissions: User.Read, User.ReadBasic.All, or User.Read.All.
  - Group permissions: GroupMember.Read.All.
3. Select Grant admin consent for (your organization). This step allows the application to access data for all users without requiring individual consent prompts. For more information, refer to Microsoft documentation.
Create credentials:

You can use either a client secret or a certificate:
- To create a client secret:
  1. Go to Certificates & secrets.
  2. Select New client secret, then save the secret value.
- To create a certificate:
  1. Open a new tab and go to Azure Key Vault.
  2. Create a certificate:
    - Subject: CN=uipath.com
    - Content type: PEM
    - Maximum size: Less than 10 KB
  3. Download the certificate in .pem format.
  4. Open the .pem file in a text editor and locate the section between BEGIN CERTIFICATE and END CERTIFICATE.
  5. Create a new .pem file that contains only this certificate section.
  6. In the Microsoft Entra admin center, go to Certificates & secrets, and upload the new .pem file.
  7. Keep the .pem file. You will need it to complete the integration in Automation Cloud^TM.
  Note:
  Most credential types eventually expire. To prevent user sign-in issues, update the configuration before credentials expire.
  
  To avoid this overhead, use the automated setup with the UiPath-managed Microsoft Entra ID application.
Collect the following integration details and share them with your Automation Cloud^TM administrator:
- Application (client) ID
- Directory (tenant) ID
- Client secret or certificate

Activating the integration in Automation Cloud^TM

As an Automation Cloud^TM administrator, use the values provided by the Microsoft Entra ID administrator to complete the setup in Automation Cloud^TM by taking the following steps:

Go to Admin > Security > Authentication Settings > Directory integration and single sign-on (SSO).
Select Microsoft Entra ID.
Choose Custom application registration ID and secret.
Enter the following values provided by your Entra ID administrator:
- Directory (tenant) ID
- Application (client) ID
- Client secret or certificate
Check I understand & accept that existing users and Microsoft Entra ID users with matching email addresses will have their accounts linked.
Select Test Connection, then sign in with your Microsoft Entra ID account.
- A successful sign-in indicates that the integration has been configured correctly.
- If the sign-in fails, ask your Microsoft Entra ID administrator to verify the configuration and try again.
Select Save to activate the integration.

Step 3: Using and verifying the integration

After you activate the Microsoft Entra ID integration, verify that it works by signing in with a directory user account and confirming access to Microsoft Entra ID users and groups. To do that, take the following steps:

Sign out of your local account.
Sign in with your directory user account using one of the following methods:
- Navigate to your organization-specific URL: https://cloud.uipath.com/{organizationName}/.
- Or go to the main login page at https://cloud.uipath.com and select Continue with Enterprise SSO.
Note: To confirm that you signed in with a directory account, go to the Automation Cloud^TM home page at https://cloud.uipath.com{organizationName}/portal_/home. If you do not see a warning about being signed in with a local user account, you are successfully signed in with a directory user account.
Navigate to Accounts & local groups and attempt to add directory users or groups from Microsoft Entra ID to a local group. Microsoft Entra ID users and groups have distinct icons to differentiate them from local accounts.

Note: Microsoft Entra ID users and groups are not listed by default on the User accounts or Local groups pages. You can find them only by using the search function.

Step 4: Completing the transition

Step 4.1: Configuring group permissions

To allow directory users to inherit permissions based on their group membership, add the relevant Microsoft Entra ID groups to local groups in Automation Cloud^TM.

For example, add your UiPath Admins Entra ID group to the Administrators group in Automation Cloud^TM.

We recommend removing individual user permissions and relying on directory group membership to simplify permission management as your organization scales.

Step 4.2: Migrating existing users

To ensure users inherit permissions assigned through Microsoft Entra ID group membership in Automation Cloud^TM, Studio, and Assistant, take the following steps:

For Automation Cloud^TM:

Ask users to sign out and sign in using their directory accounts in one of the following ways:

Navigate to your organization-specific URL: https://cloud.uipath.com/{organizationName}/.
Or select Continue with Enterprise SSO on the main login page.

For Studio and Assistant:

Open UiPath Assistant.
Navigate to Preferences > Orchestrator Connection.
Sign out of the current session.
Set the connection type to Service URL.
Enter the organization URL: https://cloud.uipath.com/{organizationName}/.
Sign in using your Microsoft Entra ID account.

Step 4.3: Phasing out local accounts

We recommend removing local user accounts to ensure consistency and simplify the user experience.

Users who continue signing in with local accounts instead of their directory accounts face the following limitations:

They do not inherit directory group permissions.
They cannot search for or assign users or groups from the Microsoft Entra ID directory.

The following table summarizes the expected behavior for linked local and directory accounts:

Capability	Linked local user account	Linked directory user account
Inherit permissions assigned directly to the user	YES	YES
Inherit permissions assigned to directory groups	NO	YES
Search for and assign directory users and groups permissions or resources in Automation Cloud^TM	NO	YES

Important: If you use the manual setup for Microsoft Entra ID integration, you must maintain at least one local user account with admin privileges to manage the integration.

Advanced configuration

Restricting access to specific users

By default, all users in your Microsoft Entra ID tenant can access your Automation Cloud^TM organization. To restrict access to specific users or groups, take the following steps:

In the Microsoft Entra admin center, go to the application you created for the integration in Step 2: Configuring the Microsoft Entra ID integration.
Go to Enterprise applications > Properties.
Set User assignment required? to Yes.
In Users and groups, assign the users or groups who should have access.

All users and groups from your tenant remain searchable in Automation Cloud^TM, but only those assigned to the application can sign in. For more details, refer to the Microsoft documentation on user assignment.

Implementing network restrictions

Use Microsoft Entra ID Conditional Access policies to restrict access based on the following criteria:

Network location (for example, corporate network only)
Device compliance
Risk level

For details on how to configure these policies, see the Microsoft documentation on Conditional Access.

Managing privileged access

For Microsoft Entra ID groups used to manage UiPath admin access, implement the following access management practices:

Enable Privileged Identity Management (PIM) in Microsoft Entra ID.
Configure just-in-time access and approval workflows.
Set up regular access reviews to validate membership and permissions.

For configuration guidance, refer to the Microsoft documentation on Privileged Identity Management.

FAQs

What changes for my users after the integration?

After the integration, users can sign in with their Microsoft Entra ID accounts and retain their existing permissions. If local user accounts are still active, both sign-in methods remain available.

To sign in with a directory account, users can do one of the following:

Go to the organization-specific URL: https://cloud.uipath.com{organizationName}/
On the main login page, select Continue with Enterprise SSO.

Why can I not search for users or groups after configuring the integration?

If you signed in using a local user account instead of your directory account, you will not be able to search for users or groups in Automation Cloud^TM.

To understand the differences between local and directory accounts, refer to Phasing out local accounts.

To resolve the issue, ensure that you are signed in with your Microsoft Entra ID account.

Do I need to reassign permissions?

No, you do not need to reassing permissions. When accounts are linked, Automation Cloud^TM automatically applies existing permissions to the corresponding Microsoft Entra ID account. Directory user accounts receive permissions from both direct assignments and directory group memberships.

What Microsoft Entra ID attributes are mapped to Automation Cloud directory user accounts, and when are they updated?

Automation Cloud™ maps only a limited set of Microsoft Entra ID attributes to directory user accounts. The following table summarizes the available attributes.

All user attributes are updated during sign-in and when users are searched or assigned access to resources in Automation Cloud^TM.

Automation Cloud attributes	Microsoft Entra ID attributes	Purpose
Username	`user.userPrincipalName`	Unique identifier. This property is required when a user is created, and it cannot be cleared during updates.
Display name	`user.displayName`	The user’s full name, typically a combination of first and last name. This property is required when a user is created, and it cannot be cleared during updates.
First name	`user.givenName`	The user’s first name.
Last name	`user.surName`	The user’s last name.
Email	`user.Mail`	The user’s email address This property is required when a user is created, and it cannot be cleared during updates.
Job title¹	`user.JobTitle`	The user's job title.
Department¹	`user.Department`	The user’s department.
City¹	`user.City`	The user’s city.
Company name¹	`user.CompanyName`	The user’s company name.

¹Automation Hub is the only service that leverages the City, Job Title, Department, and Company name values from Microsoft Entra ID. If you require these attributes, you must request for a higher privileged permission, as documented in Configuring the Microsoft Entra ID integration.

Note: For descriptions of Microsoft Entra ID attributes, refer to the Microsoft documentation.

How quickly do Microsoft Entra ID group membership changes apply?

Changes to Microsoft Entra ID group membership take effect at the next sign-in or within one hour for users who are already signed in.

Can I revert to local accounts after integration?

Yes, you can revert to local accounts after integrating with Microsoft Entra ID. An Automation Cloud^TM organization administrator must complete the following steps:

Re-invite the local user accounts.
Migrate all directory group–based permissions to direct assignments on the corresponding local accounts.
Ask users to sign out and then sign in with their local user account.

Can I migrate from Microsoft Entra ID integration to SAML integration?

Yes, you can migrate from Microsoft Entra ID integration to SAML integration. An Automation Cloud^TM organization administrator must ensure that both identity systems use the same email address for each user. The administrator must also migrate all permissions assigned through Microsoft Entra ID groups to SAML provisioning rules.

Why does the integration use the Microsoft Entra ID's hybrid OAuth 2.0 authorization code grant flow?

Automation Cloud^TM uses the hybrid flow to obtain the ID token from the authorization endpoint and to reduce authentication latency, as described in Microsoft Entra ID documentation.

On this page