Set up user groups in Azure AD

You need to add two user groups (Security groups) to your Active Directory.

The first group is for users that may access the Device Magic web application and the second is for the devices that will be joined to your organization through the mobile app.

Note: When a device signs in using SSO, they will automatically be joined to your organization without an administrator first approving each device. Any SSO devices will be billed at your current subscription rate.

Assign any users that require SSO access to the group(s) that they require access to.

Also, note the Object ID of the two newly created groups as you will need them to complete the setup in Device Magic later.

Microsoft Azure Active Directory only

Set up application in Azure AD

Please visit and log in.

When logged in, select "Azure Active Directory".

Select "Enterprise applications".

Choose "+ New Application".

Select "Non-gallery application" and type a name for the application, ideally something like “Device Magic Forms”. Then, click "Add" at the bottom right.

Click "Azure Active Directory" in the left pane, then "App Registrations" and change the selection drop down from "My apps" to "All apps". 

Click the application you created, then "Manifest". In the application manifest, add at least one role. 

The "value" should correspond to the name of an existing user role in your Device Magic organization. Using the example in the screenshot below, there should be a role in the Device Magic organization titled "Forms-Read-Only".

In your application manifest, set the value of groupMemberShipClaims to SecurityGroup

Make sure you add the following 2 replyUrls

Click "Save" and go back to Azure Active Directory. 

Next, select "Enterprise Applications", then "All Applications", then the application you created, then "Users and groups".

You need to assign a user to the Device Magic application so they can log in. Also, assign one of the roles that you created in the previous step to the user.

Click the "Assign" button.

Now you need to configure the Single Sign On settings. Below "Users and groups", click "Single sign-on".

Text values from the above screenshot:


Under User Identifier, click “View and edit all other user attributes”.

In the section that opens, click on “Add attribute”

In the section that opens, enter the following values (do not paste the values) and click “OK”.

Roles attribute (Required)

Name: roles

Value: user.assignedroles


Make sure the new attribute shows up and click “Save”

Telephone attribute (Optional)

To set the Device Magic user telephone number, another claim can be added. Use the following values and make sure to save once set.

Name: phone

Value: user.telephonenumber


Make a note of your generated thumbprint.

Also, make a note of the three URLS here.

At this point, remember to save the settings.

Setting up SSO in your Device Magic organization

Click "Organization Settings" when logged in and then "SAML Settings".

Enter the 3 URLS and fingerprint that you made a note of in the earlier steps. Also set your allowed SSO email domain.
The Object ID's you noted earlier must be used to set the User and Device Group identifier fields.

To test that your setup was successful - save and then log out. Visit and select "Log in with SSO".

Enter the email address of an existing AD user that belongs to the Device Magic AD User Group that you configured earlier.

If everything is configured correctly, you will get the Microsoft Sign in page where you can enter your AD user's password to complete the sign in process.

If you have any questions or comments feel free to send us a message at

Did this answer your question?