Trouble Connecting Microsoft SSO for Auto-Discovery?
Sheaf offers a powerful feature called Auto-Discovery, which automatically finds all the SaaS tools your team uses — who’s using them, and how often. It helps you spot unused subscriptions, reduce waste, and take control of your software stack — all with just a few clicks.
To do this, Sheaf needs permission to connect with your Microsoft organization through Microsoft Entra ID (formerly Azure Active Directory).
If you’re seeing errors during this process, don’t worry — here’s exactly what’s going on and how to fix it.
Why am I seeing this error?
To enable Auto-Discovery, Microsoft requires two things:
- Your organization must have a Microsoft Entra P1 license (or higher)
- The person setting it up must have the right permissions to approve access
Let’s walk through each case and how to move forward.
Step 1: Does your company have the right Microsoft license?
Auto-Discovery requires data only available with a Microsoft Entra P1 (or higher) license. This includes:
- Viewing apps your team is using via SSO
- Seeing when each user last accessed those apps
- Listing all active users in your organization
Without this license, Microsoft won’t allow Sheaf (or any tool) to access that information.
What to do if you don’t have a P1 license:
If this is the case, Sheaf will display a message during setup. Here’s how to proceed:
- Talk to your IT manager or Microsoft reseller about upgrading to Entra P1
- Once upgraded, return to Sheaf and try the connection again
💡 Why it matters: Entra P1 not only powers Sheaf’s Auto-Discovery — it’s a key step in strengthening IT governance across your organization, and a good practice in general for any business.
Step 2: Do you have the right Microsoft permissions?
Even if your organization has the correct license, the person setting up Auto-Discovery needs permission to grant access on behalf of the organization. If you see a message about missing permissions, here are your options:
Option 1: Invite someone with permissions
-
Typically your IT admin or Microsoft 365 administrator
-
Inside Sheaf, invite them to your workspace
-
Ask them to log in and complete the sync setup
Option 2: Request the needed permissions
-
Ask your IT team to adjust your Microsoft role to allow you to grant organization-wide access
-
Once updated, try connecting again
Don’t want to wait? You can still use Sheaf manually — or connect through Google Workspace
We know waiting on IT can be frustrating. That’s why Sheaf always gives you the option to:
-
Manually add users and apps — it’s not as fast as Auto-Discovery, but still gives you full control over your SaaS inventory
-
Or, connect through Google Workspace if your organization uses Google instead of Microsoft — setup is fast and just as powerful
💡 You can always switch to Microsoft SSO later once your permissions are sorted.
Summary
| Requirement | What’s Needed | What to Do If Missing |
|---|---|---|
| Microsoft Entra P1 License | Provided by your company | Ask IT or Microsoft rep to activate Entra P1 |
| Correct User Permissions | Ability to grant org-wide access | Invite someone with access or request upgrade |
| Still stuck? | Manual setup or integration through Google Workspace is always available in Sheaf | Start managing your stack manually or through Google Workspace |
Need help?
If you’re unsure what to do next or need help inviting the right person, reach out to us anytime at sheaf.ca/support — we’re happy to help.