Single Sign On Frequently Asked Questions

Fiona Cormack Updated by Fiona Cormack

Table of Contents:

  1. Will our read-only users be impacted when enabling SSO?
  2. Does this mean we need to add all staff to a group in Azure in order to provide access to Prompt?
  3. Can we test SSO in a testing environment?
  4. When enabling SSO will Azure retrospectively disable Prompt users that are no longer active in Azure?
  5. How can I find out how many users are impacted by this change?
  6. Does this mean Admins and Prompt Admins no longer have to manage user profiles in Prompt?
  7. If we enable Automatic User Provisioning, therefore allowing any active Azure account to create a Prompt user profile, does this mean they can now search other organisations documents?
  8. Does the email address in Prompt need to be the same in Azure AD?
  9. Before enabling SSO I was logging in to Prompt with credentials that included email address, password and 2FA. If I now log in with SSO then does this mean I have two user profiles?





1. Will our read-only users be impacted when enabling SSO?

No, your read-only URL link is linked to an Anonymous User profile. An Anonymous User is not an authenticated user. It is simply a link to search and download documents in Prompt. The link is typically 'pinned' on the organisation's intranet for staff to access Prompt within your network. Therefore, this user profile and link is not impacted by enabling SSO.



2. Does this mean we need to add all staff to a group in Azure in order to provide access to Prompt?

  • If you are only using SSO: You don't need to add users to an Azure user group. They only need to exist in your azure tenancy, under the general Users menu, and their accounts need to be active. They will still be able to login with password if they are not in azure.
  • If you have enabled user provisioning: You do need to add users to a user list within your enterprise app. Users outside of the user group will not sync to Prompt. This is covered in our setup guide How to Setup Automatic User Provisioning in AzureAD



3. Can we test SSO in a testing environment?

No, testing can easily be completed in Production (app.prompt.org.au). Complete the steps outlined in these articles Configuration and Provisioning and add only test users to the group to validate the feature is working.



4. When enabling SSO will Azure retrospectively disable Prompt users that are no longer active in Azure?

No, users must be cleaned up in Prompt first before enabling the feature to ensure those who are no longer active in Azure are not active in Prompt.



5. How can I find out how many users are impacted by this change?

Permissions Required: Admin, Prompt Admin, General User with Reporting Access enabled

Navigate to Reports > Under Statistics > Select User Role.

To generate the report:

1. Ensure all Departments are selected on the left hand pane.

2. Select Active and Pending Status.

Active means the user has logged into Prompt, Pending means the user was sent an access token but never logged in.

3. Select all user roles EXCEPT for Anonymous User (your read-only user URL).

Your organisations list of User Roles may vary to what is shown in the image.

4. Select "Email Results To Current User" as this will email a csv file to the person requesting the report.

5. Select Generate Report.

6. Use the csv file to assist with user clean up before enabling SSO.

If Active users are no longer active in Azure, you may be required to remove permissions prior to disabling the user in Prompt.

If the Last Active Date has a date of 1/1/0001 this indicates the user logged in once via their original access token, and never logged in again.



6. Does this mean Admins and Prompt Admins no longer have to manage user profiles in Prompt?

No, Admins and Prompt Admins must continue to provide access rights (what the user gets to see in Prompt), and permissions (what the user gets to do in Prompt). Read more here.



7. If we enable Automatic User Provisioning, therefore allowing any active Azure account to create a Prompt user profile, does this mean they can now search other organisations documents?

No, Automatic User Provisioning strictly provides the user access to the system. Therefore creating a secure authentication process which will be managed by your Azure Administrator. If the user was to do this, then the below is all they can see in Prompt.

If the user would like to do more than what is seen in the below picture, then they will be required to contact their Prompt Administrator, found on the Help Tab in order to request additional access or permissions.



8. Does the email address in Prompt need to be the same in Azure AD?

  • With SSO:  Prompt user email must match azure user UPN
  • With Azure Provisioning: Prompt user email must match Azure email field (Unless you have mapped your provisioning differently to our helpdocs)



9. Before enabling SSO I was logging in to Prompt with credentials that included email address, password and 2FA. If I now log in with SSO then does this mean I have two user profiles?

No, firstly you can continue to log in with email address, password and 2FA authentication. No matter which option you choose in the below image, both flow through to the same user profile that is linked to your unique Azure Entra ID.

Therefore one unique user can be authenticated via two channels, but ultimately controlled and managed by your organisations Azure Administrator.

SSO must be enabled for this question to be true.

How did we do?

Do users need to log into PROMPT with a username and password?

How to change a document Review Date?

Contact