Sign up free
School IT admin guide

Setting up Azure Entra ID for SSO with TeachGen AI

Step-by-step guide for school IT administrators

20 min setup For: Entra admin Updated 4 May 2026

This guide walks the Entra admin at your school or trust through configuring Single Sign-On for TeachGen AI. Setup takes about twenty minutes in the Microsoft Entra admin centre. At the end you'll share three values with your TeachGen contact, and we complete the integration on our side, usually within one working day.

Once SSO is live, your staff sign in to app.teachgen.ai with their existing school Microsoft account — no new password, no separate user list to maintain. Your existing Entra security policies (MFA, conditional access, password rules) apply to TeachGen sign-ins automatically, and disabling someone's school account immediately revokes their TeachGen access.

Setup

Before you start

What you'll need

  • Admin access to the Microsoft Entra admin centre (entra.microsoft.com).
  • About 20 minutes uninterrupted — the secret value can only be copied once.
  • A secure way to share three values with your TeachGen AI contact.
  • Recommended: a security group (e.g. TeachGen AI Users) for who gets access — easier to manage than assigning users individually.

Output

What you'll share at the end

By the end of this guide you'll have collected three values to send securely to TeachGen.

Application (Client) ID

From Step 2 - a 36-character GUID identifying your TeachGen Enterprise Application.

Application (Client) Secret Value

From Step 3 - the secret value (not the ID). Microsoft only shows it once.

Tenant ID

From Step 1 - your Microsoft Entra tenant identifier.

Retrieve your Tenant ID

2 minutes
  1. Sign in to the Microsoft Entra admin centre.
  2. On the home page, your Tenant ID is shown under Basic information.
  3. Copy and save it somewhere secure for now — we'll collect it with the other values at the end.
  4. If it's not visible, search the top bar for Tenant Properties and open the result with the cog icon.
Success looks like: the Tenant ID appears under Basic information on the Entra admin centre home page — a 36-character GUID such as 00000000-0000-0000-0000-000000000000.

Create the Enterprise Application

5 minutes
  1. In the Entra admin centre left menu, go to Applications › Enterprise applications.
  2. Click + New application at the top of the page.
  3. Click + Create your own application at the top of the gallery.
  4. Enter TeachGen AI in the What's the name of your app? field.
  5. Leave the default option selected (Integrate any other application you don't find in the gallery (Non-gallery)) and click Create.
  6. Once the new application overview opens, copy the Application (Client) ID shown under Properties.
Success looks like: you land on a page titled TeachGen AI | Overview, and the Application (Client) ID appears in the Properties section.

Generate a Client Secret

3 minutes
  1. In the Entra admin centre left menu, go to Applications › App registrations.
  2. Find and open your newly created TeachGen AI application.
  3. In the left navigation, choose Certificates & secrets.
  4. Under Client secrets, click + New client secret.
  5. Add a description, e.g. TeachGen AI integration, created on 22 June 2026.
  6. Set an expiration period — we recommend at least 12 months.
  7. Click Add.

Copy the secret value immediately

Microsoft only shows the secret value once — not the secret ID. After you leave the page it cannot be retrieved. The value is what we need.

Save the value somewhere secure (a password manager is ideal). We'll collect it together with the other values at the end of this guide.

See Renewing your client secret for the rotation pattern we recommend before this secret expires.

Success looks like: the new client secret appears in the Client secrets table with your description, the expiry date, and the secret value visible — Microsoft only shows the value once, so copy it and save it somewhere secure for later.

Configure API permissions

3 minutes

TeachGen uses standard OpenID Connect permissions to confirm a user's identity at sign-in. We don't request mailbox, calendar, or file access.

  1. In App registrations, open your TeachGen AI application.
  2. In the left menu, choose API permissions.
  3. Click + Add a permission.
  4. Select Microsoft Graph, then Delegated permissions.
  5. Search for and select each of the following permissions:

Permissions to add (Microsoft Graph › Delegated)

openid

Sign users in

profile

View users' basic profile

email

View users' email address

User.Read

Sign in and read user profile

  1. Click Add permissions to save.
  2. Back on the API permissions page, click Grant admin consent for [your organisation] and confirm.
Success looks like: all four permissions show a green tick under Status with the message Granted for [your organisation].

Assign users and groups

4 minutes

By default, every user in your tenant could sign in to TeachGen. Restricting access to a security group is the cleaner way to control who has access — both for licensing and for safeguarding.

Restrict access to assigned users only

  1. In the Entra admin centre, go to Enterprise applications and open TeachGen AI.
  2. In the left menu, choose Properties.
  3. Set Assignment required? to Yes.
  4. Click Save.

Assign your security group

  1. Still inside the TeachGen AI application, choose Users and groups in the left menu.
  2. Click + Add user/group.
  3. Click None Selected under Users and groups.
  4. Pick or create a security group (e.g. TeachGen AI Users) rather than assigning individual users.
  5. Click Select, then Assign.
Success looks like: your group is listed under Users and groups for the TeachGen AI application.

Configure the redirect URI

3 minutes
  1. In App registrations, open your TeachGen AI application.
  2. In the left menu, choose Authentication.
  3. Under Platform configurations, click + Add a platform, then choose Web.
  4. Add the following redirect URI exactly as shown:
https://edusage.b2clogin.com/edusage.onmicrosoft.com/oauth2/authresp
  1. Tick the boxes for Access tokens and ID tokens.
  2. Click Configure (or Save) to confirm.
Success looks like: the redirect URI is listed under the Web platform with both Access tokens and ID tokens ticked.

Hand-off

Share your values with TeachGen

Once you have all three values to hand, speak to your TeachGen AI contact about a secure way to share them with us. The Client Secret in particular is sensitive — treat it like a password and avoid sending it by plain email.

Your contact will agree the right channel for your school or trust — for example a one-time secret-sharing link, a brief call where you read the value over, or another route that fits your IT policy.

Next

What happens next

  1. We confirm receipt by email, usually within one working day.
  2. We apply the configuration on our side and test sign-in with a member of the teaching or admin team.
  3. Once confirmed, anyone in the security group you assigned in Step 5 can sign in to app.teachgen.ai with their school Microsoft account by choosing Sign in with Microsoft.

Maintenance

Renewing your client secret

Microsoft client secrets expire on the schedule you set in Step 3 — for most schools, every 12 months. When the secret expires, your staff lose the ability to sign in via SSO until a new one is issued. Rotating ahead of expiry avoids any downtime.

  1. Set a calendar reminder for 1–2 weeks before the expiry date.
  2. When it fires, repeat Step 3 to generate a new secret.
  3. Contact support at [email protected] and ask them for a secure method to transfer the new secret.
  4. We update our configuration on receipt. There's a short transition period of around 5–10 minutes, and we notify you once it's complete.

Troubleshooting

Sign-in failed: AADSTS50011 (redirect URI mismatch)

The redirect URI in Step 6 must match exactly - including https:// and trailing path. Re-open the Authentication page in App registrations, confirm the URI, and check that both Access tokens and ID tokens are ticked.

Sign-in failed: AADSTS65001 (admin has not consented)

Admin consent was not granted in Step 4. Return to API permissions and click Grant admin consent for [your organisation]. All four permissions should show Granted with a green tick.

User not assigned to the application

The user is not in the security group you assigned in Step 5. Add them to the group, or assign them directly in Users and groups on the Enterprise application.

Sign-in worked yesterday but fails today

Most often this is the client secret expiring. Check the secret's expiry date in Certificates & secrets. If it has expired, follow the Renewing your client secret section and email the new value to [email protected].

We rotated the secret but staff still see errors

Sign-ins use the previous secret until we update our configuration on receipt of the new value. The window is usually 5–10 minutes after we confirm. If you see persistent errors, email [email protected] and include the time of your last sign-in attempt.

Was this helpful?

Still stuck?

Email support Read the FAQs