1. Help Center
  2. Integrations
  3. Security and sign-on integrations

Microsoft Entra (Azure) SAML integration

Integrating Marq with Azure enables your users to authenticate using SAML single-sign on through Azure. Azure also offers a SCIM connection that allows you to provision users in your IDP


Note: all references to "lucidpress" in the video above should be replaced with "marq".

Configure the SAML Integration for Marq via Microsoft Entra (Azure) Portal

  1. Add the Marq Enterprise application to your Microsoft Entra (Azure) instance.
  2. In Marq, navigate to the Identity Management section of your Admin panel by clicking Admin > Identity Management. Check the box next to Allow SAML authentication, then click Save Changes

    If you would like to set SAML as the default authentication method for users on your account (i.e. what they encounter when they click “next” after typing their email address into the log in page), you can do so in the Default authentication dropdown below.

  3. On the same page, click Configure to navigate to your SAML activation page in Marq.
  4. Under Marq Sign in URL, enter your Domain name, then click Save Changes.
  5. In the Microsoft Entra (Azure) Marq Enterprise Application, navigate to Single Sign-on > Configure Single sign-on
  6. Under Single Sign-on Mode, select SAML-based Sign on.
  7. Your Basic SAML Configuration settings in Microsoft Entra (Azure) should look like the below. 
    SP identifier/entityID/audience restriction: marq.com
    Sign on URL: https://app.marq.com/saml/sso/[YOUR_DOMAIN]
    ACS/Reply URL primary Index = 0: https://app.marq.com/saml/sso/[YOUR_DOMAIN]
    ACS/Reply URL secondary Index =1: (this is only needed for accounts that use federated SAML metadata) https://app.marq.com/saml/sso/[YOUR_DOMAIN]     
    SSO Service Binding: We default to POST, but can work with REDIRECT (please contact us if you are using REDIRECT)
    Digest Algorithm: SHA-256
    nameID: We prefer working with email, but can work with other values 
  8. Confirm that user.userprincipalname is the User Identifier.  All basic attributes and claims should be set up already by default.
  9. Click Save at the top of the page.
  10. Select Metadata XML under the SAML Signing Certificate to download the IDP metadata. You will upload this file to Marq in the next step..
  11. Back in Marq, scroll down in the SAML Activation page of Marq and click Add Identity Provider. Upload the .xml file that you downloaded from Microsoft Entra (Azure) in the previous step.
  12. Click Test SAML connection to verify that Marq is properly communicating with Microsoft Entra (Azure). Note: The connection will only work if the Marq app has been assigned to your test user in Microsoft Entra (Azure). You can assign the app to users in the Assignments section of the app page.

Adding a Marq Linked Enterprise Application via Microsoft Entra (Azure) Portal

While we will rely on the Marq Enterprise Application in Microsoft Entra (Azure) to authenticate your users into Marq, should you want your users to see a Gallery Enterprise Application, please follow the following steps. Please note all steps take place within Microsoft Entra (Azure) AD.

  1. Open the Enterprise Application section of the Microsoft Entra (Azure)AD portal.  Click the + Application button at the top of your application list.
  2. Choose the “Non-gallery application” option, naming it Marq and adding it.
  3. Select “Set Up Single Sign on”
  4. Add the sign-on URL from your Marq application and paste it into the “sign-on URL” text box. 
  5. Navigate to the Properties tab after downloading the Marq logo here.  There you can upload the image as an Application icon.  
  6. Make sure you assign any users you want to see the app in their Gallery.  Note, SAML access is determined by the Marq app, so users must have both apps assigned to them even if that user just uses Marq.

Create Users Upon Log-In with SAML

Once you have configured SAML with Microsoft Entra (Azure) for your Marq account, you can set up Just-In-Time provisioning so that users assigned Marq access in Microsoft Entra (Azure) who do not have a Marq account will have an account created for them upon their first log-in.

To enable new user creation for users assigned to the application, you will need to navigate to the “Properties” tab in your Marq application page within Microsoft Entra (Azure). From there, scroll to the bottom of the page and toggle the “User Assignment request to Access Application” to “Off.” Then, select “Users and groups” from the “Manage” menu. Select and assign users and/or groups to access the Marq application.

You can then set up Just-In-Time provisioning in the Licensing Settings section of your Marq admin panel.

  • If you would like all users to come onto your Marq team with full-edit licenses, set the setting for “When a new user joins a team” to “Automatically grant license.”
  • If you want all users to come in as view-only users, set the setting for “When a new user joins a team” to “Do not automatically grant.” Your users will then be able to request full-edit licenses. Depending on the “When a user requests a license” setting, you can have licenses automatically granted to users upon their request, or you can have the requests turn into pending requests in your user list.

Note: We strongly recommend that you have a custom request dialog if you have users requesting licenses from an admin.

Configure SCIM for Marq with Microsoft Entra (Azure)

You can enable SCIM with Microsoft Entra (Azure) by following the steps below. Please note that the Marq app for Microsoft Entra (Azure) supports auto-provisioning with SCIM but not auto-licensing. This means that you can use SCIM to create Marq users before their first log-in but you cannot assign them a specific license type (eg. full-edit vs. view-only). Please see the Auto-Provisioning and Auto-Licensing article for more information about this distinction.

Before configuring SCIM, you will need to do the following:

  • Confirm that you are on an Enterprise account with an up-to-date pricing plan. 
  • Contact your Marq Customer Success Manager so that they can enable SCIM for your account.

Note: Your CSM would be happy to jump on a call to walk you through the SCIM configuration process, so please don’t hesitate to reach out!


Once you have followed the pre-configuration steps listed above, you can configure SCIM for Marq in Microsoft Entra (Azure) by following these steps:

  1. In Marq, go to Admin > App Integration > SCIM.
  2. Click “generate token.” Marq will populate the “Bearer Token” text field with a unique code for you to share with Microsoft Entra (Azure).
  3. In Microsoft Entra (Azure), go to the Provisioning tab and use the Marq Base URL and Bearer token to configure SCIM for the Marq Microsoft Entra (Azure) app.

FAQs/Common Issues


What is the difference between Microsoft SSO and Microsoft Entra (Azure) SAML Sign-On?
Microsoft SSO and Microsoft Entra (Azure) SAML Sign-On are both managed from the Microsoft Entra (Azure) portal. SAML uses SAML2.0 protocol while MS SSO uses OAuth2.0 OpenID. Generally, SAML set-ups are considered more secure because the encryption is on the transport layer (SSL).