Xakia supports Federated Identity (also known as Single Sign-On) through Microsoft Entra (formerly Azure Active Directory) via the OpenId Connect (OIDC) protocol. This feature is available to all subscription levels.
With Microsoft Entra (Azure AD) federated identity, you can create and manage users through a sync job maintained by Xakia. This sync job runs daily but can also be triggered manually as needed.
If you are interested in utilizing Microsoft Entra's SCIM functionality to manage Xakia users in Microsoft Entra, you can still configure it
If your team is using Azure Directory Federation Services (AD FS), please use this guide to configure it
Note: To set up Microsoft Entra federated identity, a Microsoft Entra system administrator must configure OIDC within Microsoft Entra.
IMPORTANT: Creating a Xakia Support Account on your Xakia Location is highly recommended to ensure minimal downtime during the transition. Xakia Location Administrator access is required to set up Single-Sign On. Please ensure that the member of IT managing Microsoft Entra has a Xakia Location Admin user account set up. This account can be configured without Matter or Contract access and set as non-billable by contacting Xakia Support.
Setting up Microsoft Entra (Azure Active Directory) in Xakia
Federated identity is configured at the Location level in Xakia but requires assistance from a Microsoft Entra Global Administrator.
To configure Federated Identity in Microsoft Entra, please follow the steps below:
Navigate to 'Admin' > 'Users & Security' > 'Federated identity'
In the 'Identity provider' field, select "Azure Active Directory - Sync Job"
Click 'Save' to confirm Microsoft Entra as your provider
Click 'Get the app'
This will take you to Microsoft Entra
Please follow the prompts to accept the permissions for the terms of the application (see below)
After completing these steps, Xakia will automatically populate the following fields:
Tenant ID
Consent Granted by (person who provided consent)
Consent Granted on (date of acceptance in UTC)
Note: Xakia requires read access to your Microsoft Entra Directory to synchronize authorized users, allowing administrators to configure roles, groups, and access levels in Xakia.
Provisioning Users in Xakia
Once Xakia is authorized to access your Entra ID directory your Entra ID Global Administrator can manage users by following the process below:
Create a new Security group in Entra ID. This can be done via the Azure Portal or the Microsoft 365 Admin Center. Note that only Security groups are supported. Microsoft 365 groups are not.
Add any legal team member to this group (do not add internal clients)
Enter the group's name as the 'User Sync Group' in the Xakia admin page.
Click the 'Sync Users Now' button to trigger an immediate sync (this can take up to 5 minutes)
You can verify that users have been synced as expected from the Security page in Xakia Admin
Note: The sync process happens automatically every day to ensure that users' details are kept up to date in Xakia, but you can also manually sync users by clicking 'Sync Users Now,' e.g., when new users have been added or if users have been removed.
Whenever a user sync occurs, the following happens:
New users in the sync group are added to Xakia that do not have Xakia accounts are added to Xakia
Deactivated Xakia accounts are reactivated if users are in the sync group
Users removed from the sync group are deactivated in Xakia
Updated email addresses, first names, and last names are reflected in Xakia
Important note! When Entra ID is synced with Xakia, it serves as the source of truth for managing users.
Therefore, when removing users or changing users' details, it is best to do this in Entra ID. If such changes are made directly in Xakia, a user sync from Entra ID will likely undo your changes.
Inviting and Managing Users in Xakia
After users have been synced with Microsoft Entra (this may take a few minutes), they will be visible in Xakia:
Navigate to 'Admin' > 'Users & Security' > 'Users'
Use the filter on the top right to select 'All Users'
You'll see a list of users, where you can assign the following attributes:
Role (defaults to mid-level lawyer)
Group (defaults to no group membership)
Access (defaults to All Matters)
Analytics Access (defaults to none)
Note: The 'Role' assigned at this stage will have an effect on Xakia's Delegated Authority Limits functionality.
You can now send invitations to new users. Once they receive the email, they need to:
Click the link
Accept the Privacy Policy
Click Register
Users will receive an invitation and must complete their registration as follows:
User Access with Microsoft Entra
After registering, users in the Microsoft Entra environment (e.g., Office 365) only need to enter their username (e.g., email address) to access Xakia; no password is required.
Internal Clients
Once you've set up SSO in Xakia, Internal Clients can log into the Internal Client Portal via Microsoft Entra. They can access the portal directly through the Portal URL if they're set up through Microsoft Entra.
The first time they visit the Portal, they will be automatically provisioned by entering their email address.
Ensure that the Xakia app in Entra ID Enterprise Applications has the "Assignment required?" option set to "No" - this allows any user in your Entra ID tenant to authenticate with this application. Once authenticated, they will be auto-provisioned in Xakia as an Internal Client user.
Make sure the Xakia app in Entra ID Enterprise Applications has the 'Assignment required?' option set to 'No.' This allows any user in your Entra ID tenant to authenticate. Once authenticated, they'll be automatically provisioned as Internal Client users in Xakia.
Note: Do NOT add Internal Clients to the user group in Microsoft Entra, as Xakia will recognize them as platform users rather than Internal Client Portal users.
Frequently Asked Questions
Q: What happens if a user's name or email address changes?
A: Xakia’s Microsoft Entra synchronization tool automatically handles changes to a user's name or email address over time.