Set up JIT group synchronization: OpenID Connect and Microsoft Entra ID

Prerequisites

• Single sign on (SSO) is setup for DeepL. If you haven't set up SSO, follow the instructions in this article.
• Protocol: OIDC (Open ID Connect)
• Identity provider: Microsoft Entra ID (formerly AzureAD)

To use Just-In-Time (JIT) provisioning with group synchronization, you need to update your SSO configuration in both DeepL and your Microsoft Entra ID instance. 

Set JIT group synchronization in Microsoft Entra ID

Add groups claim

1. Select Token configuration under Manage.
   In the list you see that no group claim is configured in the token.
2. To add a group claim, click on Add groups claim.
3. Select Groups assigned to application under Select group types to include in Access, ID, and SAML tokens.
4. Select Group ID under Customize token properties by type and click Add.
   The groups' claim is included in the OIDC token.

Set permissions

1. Select API permissions in the left-hand panel.
2. By default the permission User.Read should be listed below Microsoft Graph. If not, insert it manually.
3. Click Add a permission in the center panel.
4. Select Microsoft Graph, then select Delegated permissions.
5. Check the box for email and GroupMember.Read.All and click Add permissions.
6. Click Grant admin consent and confirm with Yes.

Enable JIT group synchronization in DeepL account

1. Login as an admin.
2. Click on your user and select Account and go to the Settings tab.
3. Go to Team and Single sign-on and click Edit.
4. Enter the following information from the configured application in OneLogin.
   • OpenID Connect metadata
     Open your registered application in Microsoft Entra ID and click on Endpoints on the Overview page.
   • Client Secret
     Enter your saved Client Secret of the registered application from Microsoft Entra ID.
   • Enter groups as the Group Claim Name.
5. Enable JIT Group Sync.
6. Confirm and Save changes.

Set up groups

1. Go to Microsoft Entra ID.
2. Create groups for the DeepL access and add users to the groups.
3. Go to Enterprise applications and select the registered application to add the groups to the application.
4. Go to your DeepL account.
5. Create the same groups that you created in your Microsoft Entra ID instance to manage your users

6. Go to tab Groups and click on Create Group.
    

   JIT Provisioning Group Sync does not create groups based on the OIDC token. If the token includes groups that do not exist in DeepL, that group information will be ignored, and the user is added only to the Default group. For more information about this default behavior, please consult the Default Behavior section in this article.

   

7. Enter a Group name.
   We recommend using the same name that you used for your groups in Microsoft Entra ID. However, you may choose a different name, e.g., if your organization uses concealed group names in the identity provider.
8. Enter the group’s Object ID from Microsoft Entra ID under Group ID.
   You find the ID on the Group properties page.
   
9. Select one or several subscriptions the user group should have access to
   
10. Click on Create group to save the changes.
11. Repeat this process for each group from your Micrsoft Entra ID instance.
    As a result, the groups you have granted access to the DeepL application will be reflected in your DeepL account.
12. Test the SSO login with a user. Once the user logs in, they will be automatically assigned to the DeepL group or groups that match the Microsoft Entra ID group based on the configured Group ID.