Who should do this: Your IT administrator or the person who manages your Azure / Entra ID tenant
What you need before starting: A TOTAL representative will send you a short list of values to enter into Azure. Have that information ready.
What You Are Setting Up
TOTAL uses two Microsoft standards to manage your administrators:- OIDC (Single Sign-On) — Your admins click Sign in with Microsoft on the TOTAL login page. Microsoft verifies their identity and sends TOTAL a confirmation. No password is stored in TOTAL.
- SCIM (Automatic Provisioning) — Azure automatically tells TOTAL when someone joins or leaves your admin group. You never manually create or delete accounts in TOTAL — it stays in sync with your directory.
What Permissions You Need
- Applications — To create or manage the TOTAL enterprise app / app registration, set redirect URIs, create a client secret, add Microsoft Graph permissions, and grant tenant-wide admin consent (including application permissions such as GroupMember.Read.All).
- Groups — To create security groups, look up users, and add or remove group members (your TOTAL admin group).
- Provisioning (SCIM) — To configure enterprise app provisioning to TOTAL (sync job, secrets, schema mapping). This requires Microsoft Entra ID P1 or P2; the Free tier does not support the group-based SCIM provisioning TOTAL uses.
- Global Administrator — covers everything above in one role, or
- Application Administrator + Groups Administrator + Privileged Role Administrator (or another role that can grant tenant-wide admin consent for application permissions — **Application Administrator alone is not enough **for that consent step).