Documentation

Azure - Enable signed assertions

Authentication
Updated Apr 25, 2026

SSO provider without signed assertions

If you see the following warning it means you have certificate signing disabled in ChangeBreeze and in your SAML configuration in Entra / Azure.

Required Action:

The Verification Certificates section must be set to required in Microsoft Entra under you Enterprise app along with the SP certificate uploaded.

How to enable Certificate Verification

Step 1 - (Roll back plan)

  • Ensure you have a local admin user in changebreeze that can be used to login to revert changes if required

Step 2 - Enable Signed Assertions in changebreeze

  • From changebreeze navigate to Organization Settings > SSO and edit your existing SAML provider
  • Scroll to the Security Settings section and check the "Require Signed Assertions" option.
  • Once saved, you will be on the SAML provider view page, on the right hand side select "Download SP Certificate", this will download the certificate to be uploaded to Azure in a later step.

Step 3 - Enable Verification of Certificates in Azure

  • Login to portal.azure.com and navigate to Enterprise Applications
  • Edit the App used for SAML integration with ChangeBreeze
  • Navigate to Single sign-on from the side bar
  • Edit the Verification Certificates (optional) section
  • Check the box "Require verification certificates" then upload the certificate downloaded in step 2. Then press save at the bottom of the pop out window

Step 4 - Validate that SAML sign on is still functioning

  • To test if the changes are functioning, open a new private browser window and re-authenticate using SAML / SSO
    https://changebreeze.com/sso/login/

    Once logged in, the warning should no longer be displayed.
Previous

Account Permissions
Next

Enforcing Multi-Factor Authentication for All Users

Related Articles

Authentication

Account Permissions

ChangeBreeze's role-based permission system provides: Flexibility: Six distinct roles to match your organizational structure Security: Separation of duties and principle of least privilege ITIL Compliance: Roles aligned with ITIL change management best practices Scalability: Works for small teams and large MSPs alike Auditability: Complete logging of all permission-based actions
Authentication

Enforcing Multi-Factor Authentication for All Users

Enforcing MFA protects your organization by adding a layer of security beyond passwords. Admins can enable it in ChangeBreeze’s Organization settings. SAML-authenticated users may already have MFA via their identity provider and can be excluded from additional enforcement.
Authentication

How to enable MFA for local accounts

Steps to Enable Multi-Factor Authentication (MFA) for Enhanced Account Security
Authentication

How to setup SAML authentication with Microsoft Entra / Azure

This guide walks you through setting up SAML Single Sign-On (SSO) for ChangeBreeze with Entra ID, allowing users to log in automatically using their company credentials. By integrating with your existing identity provider (such as Entra ID), ChangeBreeze can provide a secure and seamless login experience without the need for separate passwords. Once complete, users can access ChangeBreeze instantly through their organization’s sign-in portal, improving both security and convenience.
Authentication

Managing Global User Permissions for Organizational Accounts

In a multitenant system with organizational user accounts, permissions are global and apply to all sub-companies within the organization. Any permissions set at the organizational level automatically cascade to the sub-companies. User accounts can have roles set during their creation, with the option to edit these roles later from the User Management page. Editing a user's role will update their role across all companies within the organization, override any custom role settings at the company level, and take effect immediately.