Overview
Securely connect Microsoft Entra ID (Azure AD) to Enterprise Hub (EH) to enable Single Sign-On (SSO). This one-time setup enhances security, reduces IT support costs, and streamlines user access with seamless Entra-based authentication.
Who uses this feature
Administrators
Applies to all business types
Applies to all trades
Feature configuration
This feature is currently in Early Access and available for specific accounts. It is subject to change. If you want to enable this feature for your account, please contact your Customer Success Manager (CSM) for details.
Before you get started
The setup consists of two parts:
Administrator configuration (one-time setup): Connect Microsoft Entra ID to Enterprise Hub.
User account linking (one-time per user): Securely link a user's Entra identity to their Enterprise Hub account.
When completed:
Users sign in using Sign in with Microsoft Entra ID.
No separate Enterprise Hub password is required for future logins.
Authentication is securely managed through your company's Entra tenant.
Administrator setup: connect Microsoft Entra ID to Enterprise Hub
The user performing this setup must have:
The Manage SSO permission enabled under the Settings section in Enterprise Hub.
Microsoft Entra administrator permissions.
Note: If you're not a Microsoft Entra administrator, forward the link to a user who has Microsoft Entra administrator permissions.
You must have Microsoft Entra administrator permissions. Be sure to have your Microsoft Entra Tenant ID available. The Tenant ID does not need to match your organization's registered ServiceTitan environment.
The connection remains in a Pending state until activated.
To access different environments for example, Go or Next, each environment must be configured separately for Microsoft Entra SSO.
Connect your Entra Tenant ID to Enterprise Hub
Step 1: Get Your Entra Tenant ID
Sign in to the Microsoft Entra Admin Center with administrator rights.
Locate and copy your Tenant ID.
This value is required during Enterprise Hub setup.
Step 2: Enable the Manage SSO Permission
Before beginning setup, confirm that your Enterprise Hub administrator has the correct permission.
In Enterprise Hub, go to Settings > Single Sign-On (SSO).
Ensure your user profile includes the Manage SSO permission under the Settings section.
If no SSO connections exist, the page will appear empty.
Click Add Connection.
If the SSO page is not visible, verify that the Manage SSO permission is enabled.
Step 3: Create a new SSO integration
A setup drawer opens prompting you to:
Enter a Name for your integration.
Paste the Entra Tenant ID from Microsoft Entra Admin Center.
Click Proceed with Entra ID set up.
A pop-up notification confirms that a new activation URL has been copied to your clipboard.
Step 4: Activate the connection
Paste the copied URL into a new browser window or forward the URL to your Microsoft Entra Administrator.
Review and accept the Microsoft Permissions screen.
Sign in with your Entra administrator credentials.
After successful authentication:
Enterprise Hub automatically verifies the connection.
The SSO integration status changes from Pending to Active.
The connection is now complete.
User experience: credential-based account linking
When SSO is activated and the auto-linking button is enabled, users can begin signing in with Microsoft Entra ID. The first time a user signs in by Microsoft Entra, they must complete a one-time account verification process.
Note: Administrators should remember that:
This account linking flow applies only to users logging in by Microsoft Entra ID for the first time.
Users must belong to the same Microsoft Entra organization that was configured for SSO to complete auto-linking.
Link your user account to Enterprise Hub
Step 1: User signs in with Microsoft Entra ID
Go to the Enterprise Hub login screen.
Click Sign in with Microsoft Entra ID.
The user is redirected to Microsoft to authenticate with their organization's credentials.
Note: If you have more than one account, you will be prompted to select an account.
Step 2: Redirect back to Enterprise Hub
After successful Entra authentication:
The user is redirected back to Enterprise Hub.
The system detects that their Entra ID has not yet been linked to an Enterprise Hub account.
Step 3: One-Time Enterprise Hub credential prompt
The user sees the message: "To securely link your accounts, please sign in one time with your Enterprise Hub password." This ensures the Entra identity belongs to the correct Enterprise Hub account holder.
Step 4: Account linking verification
The user enters their Enterprise Hub username and password.
If authentication is successful:
Enterprise Hub creates a permanent, verified link between:
The user's Entra identity (object ID + tenant ID)
Their internal Enterprise Hub account
This step occurs only once.
Step 5: Seamless future logins
After the account is linked:
Users click Sign in with Microsoft Entra ID.
They are automatically signed in.
The Enterprise Hub password prompt does not appear again.
All future logins are SSO-only experiences.
Security safeguards
Enterprise Hub SSO implementation includes multiple layers of protection.
Inter-tenant account takeover (ATO) prevention
Each login token from Microsoft Entra includes a tenant ID (tid).
Enterprise Hub verifies that this matches the pre-configured Entra Tenant ID.
Cross-organization login attempts are blocked.
This prevents users of unauthorized Entra tenants from accessing your Enterprise Hub environment.
Explicit user verification
The one-time Enterprise Hub credential prompt confirms the user is a validated Enterprise Hub account holder.
This prevents unauthorized Entra users from linking to the wrong Enterprise Hub identity.
Secure token validation
After linking, the Entra ID connection is securely stored.
On every login, Enterprise Hub validates:
Entra authentication tokens
Tenant configuration
Administrators can revoke or re-establish links if needed.