Configuring Microsoft Single Sign-On (SSO) with Canvas
This guide walks through enabling Microsoft SSO for your Canvas organization. It covers two roles: the user requesting access, the Entra ID administrator approving it, and then back to the user signing in afterward.
Prerequisite: The user must already have a Canvas account.
1. Request Access (User)​
- Go to the Canvas login page.
- Click Sign in with Microsoft.
- A consent screen will appear indicating that your Entra ID administrator must grant permission. Notify your administrator and wait for their approval before proceeding.
2. Grant Access (Entra ID Administrator)​
- You will receive a notification that a user has requested access to ConnectMyApps Canvas and that admin consent is required.
- In the Entra ID admin portal, review and grant admin consent for the application.
- Inform the requesting user that access has been granted.
Permissions Requested​
ConnectMyApps Canvas requests the following Microsoft Graph permissions:
| Claim | Permission |
|---|---|
openid | Sign users in |
email | View users' email address |
offline_access | Maintain access to data you have given it access to |
3. Sign In with SSO (User)​
- Go to the Canvas login page.
- Click Sign in with Microsoft.
- If you are already signed in to your Microsoft account, you will be taken directly to the Canvas dashboard. Otherwise, enter your organizational credentials and complete any MFA prompts.
Troubleshooting​
| Issue | Resolution |
|---|---|
| Access not granted | Confirm with your administrator that admin consent has been granted for ConnectMyApps Canvas. |
| Account not found | Ensure you are signing in with the correct Microsoft organizational account. |
| MFA issues | Contact your organization's IT administrator. |
Important Notes​
- Admin consent is granted at the Entra tenant level — once approved, all users in the tenant who have a Canvas account can sign in via SSO.
- Users in the same tenant without a Canvas account will not be able to sign in.
- SSO users can still sign in with their Canvas username and password. An option to enforce SSO-only login is planned for a future release.