diff --git a/containers/backupchecks/src/backend/app/main/routes_documentation.py b/containers/backupchecks/src/backend/app/main/routes_documentation.py
index 66c2f16..718f9b6 100644
--- a/containers/backupchecks/src/backend/app/main/routes_documentation.py
+++ b/containers/backupchecks/src/backend/app/main/routes_documentation.py
@@ -89,6 +89,7 @@ DOCUMENTATION_STRUCTURE = {
{'slug': 'general', 'title': 'General Settings'},
{'slug': 'mail-configuration', 'title': 'Mail Configuration'},
{'slug': 'autotask-integration', 'title': 'Autotask Integration'},
+ {'slug': 'entra-sso', 'title': 'Microsoft Entra SSO'},
{'slug': 'reporting-settings', 'title': 'Reporting Settings'},
{'slug': 'user-management', 'title': 'User Management'},
{'slug': 'maintenance', 'title': 'Maintenance'},
diff --git a/containers/backupchecks/src/templates/documentation/settings/entra-sso.html b/containers/backupchecks/src/templates/documentation/settings/entra-sso.html
new file mode 100644
index 0000000..3f941bf
--- /dev/null
+++ b/containers/backupchecks/src/templates/documentation/settings/entra-sso.html
@@ -0,0 +1,94 @@
+{% extends "documentation/base.html" %}
+
+{% block doc_content %}
+Microsoft Entra SSO
+Use Microsoft Entra ID (Azure AD) to let users sign in with their Microsoft account.
+
+
+ Scope: this page explains the setup for Backupchecks and Microsoft Entra.
+ It does not replace your internal identity/security policies.
+
+
+Prerequisites
+
+ - Admin access to your Microsoft Entra tenant.
+ - Admin access to Backupchecks Settings → Integrations.
+ - A stable HTTPS URL for Backupchecks (recommended for production).
+
+
+Step 1: Register an app in Microsoft Entra
+
+ - Open Microsoft Entra admin center → App registrations.
+ - Create a new registration (single-tenant is typical for internal use).
+ - Set a name, for example
Backupchecks SSO.
+ - After creation, copy:
+
+ - Application (client) ID
+ - Directory (tenant) ID
+
+
+
+
+Step 2: Configure redirect URI
+
+ - In the app registration, open Authentication.
+ - Add a Web redirect URI:
+
+ https://your-backupchecks-domain/auth/entra/callback
+
+ - Save the authentication settings.
+
+
+Step 3: Create client secret
+
+ - Open Certificates & secrets in the app registration.
+ - Create a new client secret.
+ - Copy the secret value immediately (it is shown only once).
+
+
+Step 4: Configure Backupchecks
+
+ - Open Settings → Integrations → Microsoft Entra SSO.
+ - Enable Microsoft sign-in.
+ - Fill in:
+
+ - Tenant ID
+ - Client ID
+ - Client Secret
+ - Redirect URI (optional override, leave empty to auto-use callback URL)
+ - Allowed domain/tenant (optional restriction)
+
+
+ - Optional: enable Auto-provision unknown users as Viewer.
+ - Save settings.
+
+
+Step 5: Test sign-in
+
+ - Open /auth/login in a private/incognito browser session.
+ - Click Sign in with Microsoft.
+ - Authenticate with an allowed account.
+ - Confirm you are redirected back into Backupchecks.
+
+
+User mapping behavior
+
+ - Backupchecks first tries to match Entra user to local user by username/email.
+ - If no match exists:
+
+ - With auto-provision disabled: login is rejected.
+ - With auto-provision enabled: a new local user is created with Viewer role.
+
+
+
+
+Troubleshooting
+
+ - Redirect URI mismatch: ensure Entra app URI exactly matches Backupchecks callback URI.
+ - SSO button not visible: check that SSO is enabled and Tenant/Client/Secret are saved.
+ - Account not allowed: verify tenant/domain restriction in Allowed domain/tenant.
+ - No local user mapping: create a matching local user or enable auto-provision.
+
+{% endblock %}
+