Hosted OAuth vs. Custom Azure Application Setup
Goodsted supports secure Single Sign-On (SSO) integration with Microsoft Azure Active Directory (Azure AD) in two ways:
1. Hosted OAuth SSO via Goodsted’s Azure Tenant
2. Custom Azure Application Setup within the Client’s Azure Tenant
This guide explains both options and includes step-by-step setup instructions for the custom Azure app integration.
🔒 1. Hosted OAuth SSO (Goodsted Tenant)
Overview:
This default setup allows users to log in with Microsoft accounts through a multi-tenant application hosted and managed by Goodsted.
Key Features:
No setup required by the client.
Client admin must still authenticate and approve the Goodsted application for use by their users the first time it's accessed.
Goodsted can restrict login access to specific email domain(s) (e.g. @yourcompany.com) to ensure only authorised users can sign in.
Users click "Sign in with Microsoft" on Goodsted, and the OAuth flow handles the rest.
Pros:
Instant access with no IT setup
Easy for pilots or small teams
Optional domain-based access control
Limitations:
Less visibility into logins (no Azure AD sign-in reporting)
Cannot enforce organisation-wide SSO policies like MFA or conditional access
No branding on login or consent screens
🔐 2. Custom Azure Application Setup (Client Tenant)
Overview:
In this setup, the client registers a dedicated Azure AD application in their own tenant to manage Goodsted SSO. This gives full control over security policies, access rules, branding, and monitoring.
Set-Up Instructions
Azure Application Setup Guide for Goodsted SSO
This process outlines how to configure your own Azure AD application for SSO with Goodsted:
✅ Step 1: Create an Azure AD Application
Log into the Azure Portal.
Navigate to Azure Active Directory.
In the sidebar, select App registrations.
Click New registration.
✅ Step 2: Register Your Application
Enter a descriptive Name (e.g., “Goodsted SSO”).
Choose Supported account types:
Typically: Accounts in this organizational directory only.
Under Redirect URI, select:
Single-page application (SPA)
Enter the URI:
https://<customer-slug>.goodsted.com/custom-page.html
(Replace <customer-slug> with your specific Goodsted subdomain or identifier.)
Click Register.
⚠️ Important: Do not select “Web” as the Redirect URI type.
You must use Single-page application (SPA).
✅ Step 3: Locate Your Client ID and Tenant ID
Once registered, your app’s Overview page will display:
Client ID (Application ID):
Copy the value listed as Application (client) ID.
Tenant ID (Directory ID):
Copy the value listed as Directory (tenant) ID.
✅ Step 4: Share IDs with Goodsted
Please send the following details to your Goodsted contact:
Client ID: (paste Application ID)
Tenant ID: (paste Directory ID)
Once received, Goodsted will finalise and test the SSO integration on your behalf.
🔄 Summary: Comparing the Two Options
Feature | Hosted OAuth (Goodsted Tenant) | Custom Azure App (Client Tenant) |
Client Setup Required | None | ✅ Azure app registration |
Client Admin Consent Required | ✅ Yes | ✅ Yes |
Domain Restriction Possible | ✅ Yes (configured by Goodsted) | ✅ Yes (via Tenant ID) |
Advanced Access Policies (MFA, Conditional Access) | ❌ No | ✅ Full control |
Azure Sign-In Monitoring | ❌ No | ✅ Yes |
Consent Screen Branding | ❌ No | ✅ Customisable |
Best For | Pilots, fast access, small teams | Enterprises, scale, compliance-driven orgs |
🧭 Which Should You Choose?
Your Priority | Recommended Option |
No setup, quick onboarding | Hosted OAuth |
Full IT control & security integration | Custom Azure App |
Want login restricted to your staff only | Both methods support this |
Auditability, compliance, and visibility | Custom Azure App |
🧑💻 Need Help?
If you’d like guidance during setup or have questions about the best approach, don’t hesitate to reach out to your Goodsted representative. We’re happy to support you throughout the process.