Skip to main content

Entra ID Auto Check-in for Workplace

Automatically check in employees by detecting Entra authentications completed on your workplace network.

Updated today

Overview

The Entra platform secures your employees, contractors, and partners, wherever they are. It covers every part of the Identity lifecycle, from governance to access to privileged controls.

Entra can also automatically sync your employee directory via SCIM integration, which requires a separate installation. Learn more here.

How does this integration work?

The Envoy + Entra ID integration automatically allows employees to check into the workplace. Envoy leverages identity-based access control and maps the IP of your office to identify the physical location of the employee logging into Entra. If the employee uses Entra in your workplace, they are automatically checked in for that day!

Prerequisites

  1. You must be an administrator for your Entra instance to complete this installation. Either become an administrator or ask your admin for help before completing these steps.

  2. For use with a VPN, please ensure that the VPN is detected by Entra, or the exit node of the VPN is unique and can be distinguished from your workplace network IPs.

Enabling the Envoy + Entra Integration

Step 1: API Access

  1. Navigate to your Envoy dashboard, then Integrations. Search for Microsoft Entra Auto Sign-In, then click Install.

  2. Click Connect Account to launch the configuration window.

  3. Click Connect to open the Entra authentication window.

    1. To use your own App credentials, you'll need to retrieve your Client ID and Client Secret. This requires creating a new app under the App registrations tab in your Entra admin center. You'll add https://workflows.envoy.com as the redirect URL. This will generate a Client ID. Then, add a secret. Copy and paste these values into the corresponding field within Envoy.

  4. Select the account you want to use to authenticate with Envoy.

  5. Check the box next to Consent on behalf of your organization to accept the required permissions, then click Accept. The window will close after authentication is complete.

Step 2: Workplace Configuration

This step defines the CIDR block that Envoy uses to recognize employees as "onsite." You can add multiple CIDR blocks per location, and edit existing CIDR blocks if needed.

  1. Use the Envoy Location dropdown to select the Envoy location you want to enable.

  2. Under the cidrList column, add the corresponding CIDR block. It must be in a valid format.

    1. Failure to match the required format will result in a Request failed with status code 400 error.

    2. A successful match will display an All CIDR patterns are valid message.

  3. Click Add Another to repeat this process for each location.

  4. Click Next Step to save the configuration.

    1. The Next Step button will be greyed out if the formatting is not valid.

  5. Click Complete Setup to save the configuration.

Viewing auto check-in results

Once your integration installation is complete, navigate to Workplace > Access log. For any check-ins completed by this integration, "Entra ID" will be listed in the Integration name column. Only successful authentications are logged within Envoy and counted towards sign-ins; any errors, interruptions, or warnings are filtered out.

On the individual employee entry, the check-in method will show as 'via SSO event."

It may take a few minutes for your Entra signal to populate in Envoy. The Checked in time will be the time the sign-in happened, not the time Envoy recieves the signal. The Access log will show these times separately, as Event time and Received at.

Related Articles
Microsoft Entra ID Integration
Workplace Ticketing
Envoy Workplace
Enabling employee auto check-in
Okta Auto check-in for Workplace
Did this answer your question?