Ask Zac
integrations intermediate 20 minutes

How to set up Zoom SSO with Azure AD (Entra ID)

Step-by-step guide to configuring SAML 2.0 single sign-on between Zoom and Microsoft Entra ID (Azure AD) — enterprise app setup, attribute mapping, vanity URL, and testing.

Published February 26, 2026

Zoom supports SAML 2.0 single sign-on with Microsoft Entra ID (formerly Azure AD). Once configured, your users sign into Zoom with their Microsoft credentials — the same ones they use for Outlook, Teams, and everything else in your Microsoft 365 environment. This eliminates separate Zoom passwords, gives you centralized access control through Entra ID, and lets you enforce conditional access policies (MFA, device compliance, location restrictions) on Zoom access.

What SSO Does Once Configured

Here’s exactly what happens after setup:

When a user signs into Zoom:

  1. User navigates to yourcompany.zoom.us or opens the Zoom desktop client.
  2. Zoom redirects them to Microsoft’s login page (or the user clicks “Sign in with SSO”).
  3. User authenticates with their Microsoft credentials (including MFA if configured).
  4. Microsoft sends a SAML assertion back to Zoom confirming the user’s identity.
  5. Zoom logs the user in — no separate Zoom password required.

What you control from Entra ID:

  • Who can access Zoom — only users assigned to the Zoom enterprise app
  • Conditional access — require MFA, compliant device, or specific network location
  • Instant deprovisioning — disable a user in Entra ID and they immediately lose Zoom access
  • Audit trail — every Zoom login appears in Entra ID sign-in logs

Prerequisites

  • Microsoft Entra ID (any tier — Azure AD Free works for basic SAML, Premium P1 for conditional access)
  • Zoom Business, Enterprise, or Education plan (Pro plan supports SSO but requires manual configuration)
  • Zoom vanity URL configured (e.g., yourcompany.zoom.us)
  • Admin access to both the Azure portal and the Zoom web portal

Step 1: Configure Your Zoom Vanity URL

If you don’t already have a vanity URL, set one up first — SSO requires it.

  1. Sign in to the Zoom web portal as an admin.
  2. Go to Account Management > Account Profile.
  3. Under Vanity URL, enter your desired subdomain (e.g., yourcompany).
  4. Click Save. Your vanity URL becomes yourcompany.zoom.us.

Note: Vanity URL changes can take up to 24 hours to propagate. Set this up before starting the SSO configuration.

Step 2: Add Zoom as an Enterprise Application in Entra ID

  1. Sign in to the Azure portal.
  2. Navigate to Entra ID > Enterprise Applications.
  3. Click New application.
  4. Search for Zoom in the gallery — select Zoom Meetings (this is the pre-configured SAML template).
  5. Click Create.
  6. Once created, go to Single sign-on > select SAML.

Step 3: Configure SAML Settings in Azure

In the SAML configuration page:

Basic SAML Configuration

Click Edit and set:

FieldValue
Identifier (Entity ID)https://yourcompany.zoom.us
Reply URL (ACS URL)https://yourcompany.zoom.us/saml/SSO
Sign on URLhttps://yourcompany.zoom.us

Click Save.

Attributes & Claims

Verify these user attribute mappings (most are pre-configured by the gallery template):

ClaimSource attributePurpose
NameIDuser.userprincipalnameUnique identifier for the user
firstNameuser.givennameFirst name in Zoom profile
lastNameuser.surnameLast name in Zoom profile
emailuser.mailEmail address in Zoom profile

Important: If your organization uses UPN format username@company.com that differs from the user’s actual email, map NameID to user.mail instead of user.userprincipalname. Zoom matches users by this value.

SAML Signing Certificate

  1. In the SAML Signing Certificate section, find Certificate (Base64) and click Download.
  2. Also copy the App Federation Metadata URL — you may need this for Zoom.

Copy These Values for Zoom

From the Set up Zoom Meetings section, copy:

Azure FieldYou’ll Paste This In Zoom As
Login URLSign-in page URL
Azure AD IdentifierIssuer (IDP entity ID)
Logout URLSign-out page URL

Step 4: Configure SSO in Zoom

  1. Sign in to the Zoom web portal as an admin.
  2. Go to Advanced > Single Sign-On.
  3. If SSO is not yet enabled, click Enable Single Sign-On.
  4. Fill in the SAML configuration:
Zoom FieldValue
Sign-in page URLLogin URL from Azure
Sign-out page URLLogout URL from Azure
Identity provider certificateUpload the Base64 certificate you downloaded from Azure
Service provider (SP) entity IDhttps://yourcompany.zoom.us
Issuer (IDP entity ID)Azure AD Identifier from Azure
BindingHTTP-Redirect
Signature hash algorithmSHA-256
  1. Under SAML Response Mapping, verify that email maps correctly.
  2. Click Save.

Step 5: Assign Users in Azure

Users must be assigned to the Zoom enterprise application in Entra ID to use SSO:

  1. In the Azure portal, go to Entra ID > Enterprise Applications > Zoom Meetings.
  2. Click Users and groups > Add user/group.
  3. Choose one of:
    • Specific users — select individual users
    • Groups — assign an Entra ID group (e.g., “All Employees” or “Zoom Users”)
  4. Click Assign.

Recommendation: Use a security group like “Zoom Licensed Users” so you can manage access through group membership rather than individual assignments.

Step 6: Test the SSO Connection

Test from Azure

  1. In the Azure portal, on the Zoom enterprise app’s SAML configuration page, scroll to the Test section.
  2. Click Test > Test sign in.
  3. Azure will attempt to sign into Zoom as your current user.
  4. If successful, you’ll see a confirmation. If not, Azure shows a detailed error.

Test from a Browser

  1. Open an incognito/private browser window.
  2. Navigate to https://yourcompany.zoom.us.
  3. Click Sign in with SSO (or you’ll be automatically redirected to Microsoft login).
  4. Enter your Microsoft credentials.
  5. You should be redirected back to Zoom and logged in.

Test from the Zoom Desktop Client

  1. Open Zoom desktop client.
  2. Click Sign In > SSO.
  3. Enter your company domain (e.g., yourcompany).
  4. The Microsoft login page opens in a browser.
  5. After authenticating, the desktop client should show you as logged in.

Once SSO is verified, lock down sign-in methods:

  1. In the Zoom web portal, go to Advanced > Security > Sign-in methods.
  2. Set Sign in with SSO to Required (disables password login).
  3. Keep Sign in with Google and Sign in with Apple disabled unless needed.

This ensures all users authenticate through Entra ID, giving you complete control over access.

Advanced: Conditional Access Policies

With Azure AD Premium P1, you can add security controls to Zoom access:

  1. In the Azure portal, go to Entra ID > Security > Conditional Access.
  2. Create a new policy targeting the Zoom Meetings enterprise app.
  3. Common policies:
PolicyWhat It Does
Require MFAUsers must complete multi-factor authentication every time they sign into Zoom
Require compliant deviceOnly devices enrolled in Intune and meeting compliance policies can access Zoom
Block non-corporate networksUsers can only access Zoom from your corporate network or VPN
Require Terms of UseUsers must accept your organization’s ToU before accessing Zoom
Session lifetimeForce re-authentication after a set period (e.g., 12 hours)

Common Issues

  • “SAML response is invalid” — The Entity ID must match exactly between Azure and Zoom, including https:// and no trailing slash. Check both sides. Also verify the Reply URL is https://yourcompany.zoom.us/saml/SSO (case-sensitive).
  • Users get “account not found” — The user is not assigned to the Zoom enterprise app in Entra ID. Go to Enterprise Applications > Zoom > Users and groups and assign them. Also check that the email in the SAML assertion matches their Zoom account email.
  • Users can’t edit their Zoom profile — This is expected with SSO. Profile fields (name, email) are locked because they’re managed by Entra ID. Users must update their name or email in Microsoft 365, and the changes will sync on next login.
  • SSO works in browser but not in desktop client — The Zoom desktop client may need a sign-out and fresh SSO login. Go to the Zoom client settings > sign out > sign back in with SSO. Also check that the vanity URL domain is entered correctly (just yourcompany, not the full URL).
  • Conditional access policy not applying — Verify the policy targets the “Zoom Meetings” enterprise application specifically, not just “All cloud apps.” Check the policy assignment (users/groups) and ensure the policy is enabled (not in report-only mode).
  • SCIM and SSO confusion — SSO handles authentication (who can sign in). SCIM handles provisioning (creating/deactivating accounts). They are separate features. You can have SSO without SCIM (users must be manually created in Zoom first).

Frequently Asked Questions

Does Zoom support SSO with Azure AD?

Yes. Zoom supports SAML 2.0 single sign-on with Microsoft Entra ID (formerly Azure AD). Users sign into Zoom using their Microsoft credentials. This requires adding Zoom as an enterprise application in the Entra portal, configuring SAML settings on both sides, and enabling SSO in the Zoom admin portal.

Do I need Azure AD Premium for Zoom SSO?

Azure AD Premium P1 or P2 is recommended for full SSO features like conditional access policies, but basic SAML SSO works with Azure AD Free (included in all Microsoft 365 plans). If you want to enforce MFA specifically for Zoom, restrict access by location, or require compliant devices, you need Azure AD Premium P1 at minimum.

What is a Zoom vanity URL and do I need one for SSO?

A vanity URL is your organization's custom Zoom subdomain (e.g., yourcompany.zoom.us). It is required for SSO — Zoom uses it as the SAML entity ID and service provider URL. You configure it in the Zoom admin portal under Account Management > Account Profile.

Can I use Zoom SSO and password login at the same time?

Yes. Zoom supports three sign-in modes: SSO only (users must use SSO), SSO + password (users can choose), or password only. The recommended approach is to enable SSO as the default and disable password login once SSO is verified. You configure this in the Zoom admin portal under Advanced > Security > Sign-in methods.

Why do I get a 'SAML response is invalid' error when testing Zoom SSO?

This almost always means the Entity ID in Azure and Zoom don't match exactly. Check that both sides use the same URL format (including https:// and no trailing slash). Also verify the Reply URL (ACS URL) in Azure matches what Zoom expects: https://yourcompany.zoom.us/saml/SSO.

How long does it take to set up Zoom SSO with Azure AD?

The technical configuration takes 15-20 minutes if you have admin access to both the Azure portal and the Zoom web portal. Allow additional time for testing with pilot users and rolling out to the full organization. Most teams complete the full rollout within a day.

Need help configuring this?

Ask Zac can walk you through the setup step by step, or configure it for you automatically.

Try Ask Zac →