How to Set Up Microsoft Entra ID SSO in Command Centre

Packed with new features and enhancements, Command Centre v9.40 is a powerful release for organizations looking to modernize their access control infrastructure. For organizations embracing cloud-first strategies, Command Centre v9.40 introduces a new Single Sign-On (SSO) integration with Microsoft Entra ID (formerly Azure AD).

This strategic integration is key to the industry's shift towards cloud-first identity management and Zero Trust architecture. By centralizing physical access system authentication, this feature offers significant benefits for both enterprise security and IT management, ensuring that access to your physical security system is as secure as your network.

This guide provides IT administrators with the clear steps needed to implement a seamless, secure SSO experience for Command Centre operators.

 

Key Takeaways:

• Microsoft Entra ID SSO allows you to instantly enforce MFA and Conditional Access for Command Centre operators, dramatically enhancing security posture.
• You can run both legacy AD SSO and the new Entra ID SSO in parallel, enabling a smooth, phased transition without operational downtime.
• The integration uses OpenID Connect and OAuth 2.0 via MSAL, aligning your physical security system with enterprise cloud-first identity standards.

 

What Is Microsoft Entra ID SSO?

The Command Centre SSO integration is built on modern identity protocols, providing a secure and flexible foundation: OpenID Connect and OAuth 2.0. This is facilitated via the Microsoft Authentication Library (MSAL), which ensures secure token exchange and a seamless user experience. This approach provides greater security and flexibility compared to older, certificate-based SSO methods.

To fully appreciate the value of this integration, it’s helpful to define the core components:

• Microsoft Entra ID: This is Microsoft’s cloud-based identity and access management service. It serves as the primary system of record for organizations, managing how users sign in and access cloud resources. It is the modern replacement for traditional, on-premise Active Directory services.
• Single Sign-On (SSO): SSO is an authentication scheme that allows a user to log in with a single ID and password to gain access to multiple related, yet independent, software systems. In the context of Command Centre, it means your operators will use their standard, verified Microsoft credentials to access the physical security client.

Benefits of Entra ID SSO in Command Centre

Integrating Entra ID with your physical access system is a strategic decision that drives efficiency and dramatically enhances security.

• Aligns with Cloud-First Identity Strategies: Moves physical security authentication to the centralized, modern Microsoft Entra cloud environment.
• Reduces Reliance on Legacy AD Infrastructure: Eliminates the need to maintain outdated on-premises Active Directory Federation Services (AD FS).
• Centralized Access Control: Access for Command Centre operators is managed alongside all other enterprise applications, simplifying administration and policy consistency.
• Enables Multi-Factor Authentication: Easily enforces MFA for all operators, drastically reducing credential attack risk.
• Supports Conditional Access Policies: Leverages Entra ID’s powerful policies to define specific security requirements before access to Command Centre is granted.
• Simplifies User Management: Ensures access to the entire enterprise, including Command Centre, is instantly revoked from one cloud platform when an employee leaves.
• Supports Smoother Migration: Allows parallel operation with legacy systems, facilitating a non-disruptive, phased migration to modern identity solutions.

How to Configure Entra ID SSO in Command Centre

Implementing Microsoft Entra ID SSO in Command Centre is a straightforward, four-step process for IT teams.

Step 1: Configure Entra ID tenancy settings in the Microsoft Entra Admin Portal

The first phase involves preparing your Microsoft cloud environment.

• Sign in to the Microsoft Entra admin centre and add the Gallagher Command Centre application under Enterprise applications.
• Register the app using App Registrations for OpenID Connect support, noting the Client ID, Tenant ID, and redirect URIs for the Command Centre Client.
• Enable necessary authentication settings, such as the Single-Page Application (SPA) platform with appropriate redirect URIs, and assign users or groups via Users and Groups to ensure email fields match for SSO.
• Record key values, including Issuer URL, Login URL, and Microsoft Entra Identifier, for use in the Command Centre configuration.

Step 2: Set up Entra ID SSO in Command Centre with global or individual cardholder-level controls

Next, establish the connection within the physical security system.

• In the Command Centre Client, access SSO settings and input the Entra ID tenancy details, including the Client ID and Issuer URL obtained from the admin portal.
• Apply global controls for organization-wide enablement or use individual cardholder-level settings to manage access precisely, supporting modern protocols like OAuth 2.0, OpenID Connect, and MSAL for secure token exchange.
• Ensure prerequisites, such as Command Centre version compatibility and REST Client items, are met if integrating with Entra ID Sync features.

Step 3: Use flexible rollout options (test groups and phased deployment)

A successful rollout depends on flexibility and testing.

• Configure test groups using individual cardholder controls to pilot SSO with select operators before a global rollout, allowing parallel operation with existing Active Directory SSO for zero disruption.
• Leverage Entra ID's conditional access policies and multi-factor authentication during phased deployment to enhance security while migrating from legacy systems.
• Verify setup by checking Seamless SSO status in Entra ID > Entra Connect > Connect sync, ensuring domain admin credentials enable the feature across synced forests.

Step 4: End-user login process – users select Entra ID and authenticate via SSO

Once configuration is complete, the end-user experience is seamless.

• At the Command Centre login screen, users select the Microsoft Entra ID option to initiate authentication, completing MFA or conditional access as prompted.
• Upon success, Command Centre automatically logs them in using stored SSO tokens for seamless future sessions, reducing reliance on local credentials.
• Test login with pilot users to confirm automatic re-authentication and troubleshoot by reviewing Entra ID enterprise app properties like Visible to users set to Yes.

Migrating from Active Directory SSO

For customers currently relying on legacy Active Directory SSO, the migration path is designed for zero disruption.

Command Centre supports running both AD SSO and Entra ID SSO in parallel. This critical feature ensures a smooth and disruption-free transition, allowing IT teams to conduct comprehensive testing and implement phased migration strategies without impacting existing operations.

You can continue to use your existing Active Directory authentication while you bring users onto the new cloud-based Entra ID authentication one group at a time.

Licensing Information

This functionality is available under two options:

• Included in Entra ID Sync Licence: Entra ID SSO is included in the Entra ID Sync licence (meaning no additional cost) if you have purchased the Entra ID Sync Feature (C12948).
• Individual Licence: Alternatively, it can be licensed individually (reference: C12942 - LIC ENTRA ID SSO).

Regardless of the licensing method, the feature must be enabled via the system Feature flag: EntraIDSingleSignOn=1.

Final Thoughts: Your Strategic Shift to Entra ID

The introduction of Microsoft Entra ID SSO into Command Centre is more than just a convenience feature; it is a critical security and operational upgrade.

By moving authentication to the Microsoft cloud, you immediately align your physical security system with the security policies and identity management standards of the leading enterprise IT platform. This ensures simplicity for your operators, tested security for your organization, and a move toward modern identity alignment that positions your access control system as truly future-ready.

Contact your certified Gallagher Channel Partner today for personal consultation on implementing Microsoft Entra ID SSO.