Single sign-on lets your staff access TeachGen AI with the school account they already use every day — their Microsoft 365 or Google Workspace login — rather than a separate TeachGen username and password. Your existing security policies (MFA, conditional access, password rules, leaver workflows) extend to TeachGen automatically.
This page covers what SSO is for, what we'll ask for, and which provider runbook to follow next. Most schools complete setup in 5–20 minutes. SSO is included on every school subscription at no extra cost.
Pick your stack
Choose your provider
Microsoft Entra ID
For schools on Microsoft 365 / Office 365. Your IT admin sets up an Enterprise Application in the Microsoft Entra admin centre and shares three values with us.
Read the setup guide
Google Workspace
For schools on Google Workspace. For most schools, no IT setup is required — staff just press Sign in with Google. Restricted-mode schools need a 5-minute allowlist step.
Read the setup guide
Most schools have one identity stack, not both. Pick whichever you already use day-to-day.
Why
What you get with SSO
No new password to remember
Staff sign in with their existing school account. No separate TeachGen credentials to manage, store, or reset.
Your security policies apply
MFA, conditional access, session length, and password rules from your identity provider extend to TeachGen sign-ins automatically.
Leavers are revoked instantly
Disable a user in your Microsoft or Google admin and they immediately lose the ability to sign in to TeachGen. No second offboarding step.
No separate user list to maintain
We don't ask you to create or invite individual TeachGen accounts. Your existing security group or organisational unit decides who has access.
What we ask for — and what we don't
TeachGen requests the minimum identity scopes needed to confirm who's signing in. We don't request access to email, calendar, files, or classroom data on either provider.
What we ask for
openid— sign you inprofile— basic profile (name)email— your school email address
What we don't ask for
- Mailbox / inbox content
- Calendar or meeting data
- Drive or OneDrive files
- Classroom or Teams data
- Any administrative permissions
Setup
Before you start
- Confirm whether your school is on Microsoft 365 / Entra ID or Google Workspace.
- Make sure the person doing the setup has the right admin role on that platform — Entra admin for Microsoft, or Super Admin for Google.
- If your school or trust has a DPO, give them a heads-up. We provide a Data Processing Agreement on every school subscription.
- Open the runbook for your provider above and follow it through.
Common questions about SSO
Does TeachGen support both Microsoft and Google?
Yes. Microsoft Entra ID (Microsoft 365 / Office 365) and Google Workspace are both supported. Pick whichever your school uses for staff email today - you don't need to switch identity stacks for TeachGen.
Do we need a paid Microsoft Entra ID tier (P1 or P2)?
No. The base Entra ID tier included with Microsoft 365 covers everything required for the OIDC sign-in flow we use.
How long does SSO setup take?
Microsoft Entra ID: about 20 minutes on the admin's side, then 1–2 working days on ours. Google Workspace: usually no setup is required - if your school has restricted third-party app access, an allowlist step takes about 5 minutes.
Who needs to be involved on our side?
An admin on your identity platform - an Entra admin for Microsoft, or a Workspace Super Admin for Google. If your trust has a DPO, give them a heads-up; we'll provide a Data Processing Agreement as part of the school subscription.
Can we restrict TeachGen to specific staff or year groups?
Yes. On Microsoft Entra ID, you assign a security group to the Enterprise Application (covered in the runbook). On Google Workspace, you scope the trusted access by organisational unit. In both cases, only people in that group or OU can sign in.
Was this helpful?
Still stuck?