From 6bf81bd730d37b2e4854300de6276878eb6b76de Mon Sep 17 00:00:00 2001
From: Ivo Oskamp <ivooskamp@oskamp.info>
Date: Mon, 23 Feb 2026 14:23:15 +0100
Subject: [PATCH] Add documentation page for Microsoft Entra SSO setup

---
 .../backend/app/main/routes_documentation.py  |  1 +
 .../documentation/settings/entra-sso.html     | 94 +++++++++++++++++++
 2 files changed, 95 insertions(+)
 create mode 100644 containers/backupchecks/src/templates/documentation/settings/entra-sso.html

diff --git a/containers/backupchecks/src/backend/app/main/routes_documentation.py b/containers/backupchecks/src/backend/app/main/routes_documentation.py
index 66c2f16..718f9b6 100644
--- a/containers/backupchecks/src/backend/app/main/routes_documentation.py
+++ b/containers/backupchecks/src/backend/app/main/routes_documentation.py
@@ -89,6 +89,7 @@ DOCUMENTATION_STRUCTURE = {
             {'slug': 'general', 'title': 'General Settings'},
             {'slug': 'mail-configuration', 'title': 'Mail Configuration'},
             {'slug': 'autotask-integration', 'title': 'Autotask Integration'},
+            {'slug': 'entra-sso', 'title': 'Microsoft Entra SSO'},
             {'slug': 'reporting-settings', 'title': 'Reporting Settings'},
             {'slug': 'user-management', 'title': 'User Management'},
             {'slug': 'maintenance', 'title': 'Maintenance'},
diff --git a/containers/backupchecks/src/templates/documentation/settings/entra-sso.html b/containers/backupchecks/src/templates/documentation/settings/entra-sso.html
new file mode 100644
index 0000000..3f941bf
--- /dev/null
+++ b/containers/backupchecks/src/templates/documentation/settings/entra-sso.html
@@ -0,0 +1,94 @@
+{% extends "documentation/base.html" %}
+
+{% block doc_content %}
+<h1>Microsoft Entra SSO</h1>
+<p>Use Microsoft Entra ID (Azure AD) to let users sign in with their Microsoft account.</p>
+
+<div class="doc-callout doc-callout-info">
+  <strong>Scope:</strong> this page explains the setup for Backupchecks and Microsoft Entra.
+  It does not replace your internal identity/security policies.
+</div>
+
+<h2>Prerequisites</h2>
+<ul>
+  <li>Admin access to your Microsoft Entra tenant.</li>
+  <li>Admin access to Backupchecks <strong>Settings → Integrations</strong>.</li>
+  <li>A stable HTTPS URL for Backupchecks (recommended for production).</li>
+</ul>
+
+<h2>Step 1: Register an app in Microsoft Entra</h2>
+<ol>
+  <li>Open <strong>Microsoft Entra admin center</strong> → <strong>App registrations</strong>.</li>
+  <li>Create a new registration (single-tenant is typical for internal use).</li>
+  <li>Set a name, for example <code>Backupchecks SSO</code>.</li>
+  <li>After creation, copy:
+    <ul>
+      <li><strong>Application (client) ID</strong></li>
+      <li><strong>Directory (tenant) ID</strong></li>
+    </ul>
+  </li>
+</ol>
+
+<h2>Step 2: Configure redirect URI</h2>
+<ol>
+  <li>In the app registration, open <strong>Authentication</strong>.</li>
+  <li>Add a <strong>Web</strong> redirect URI:
+    <ul>
+      <li><code>https://your-backupchecks-domain/auth/entra/callback</code></li>
+    </ul>
+  </li>
+  <li>Save the authentication settings.</li>
+</ol>
+
+<h2>Step 3: Create client secret</h2>
+<ol>
+  <li>Open <strong>Certificates &amp; secrets</strong> in the app registration.</li>
+  <li>Create a new client secret.</li>
+  <li>Copy the secret value immediately (it is shown only once).</li>
+</ol>
+
+<h2>Step 4: Configure Backupchecks</h2>
+<ol>
+  <li>Open <strong>Settings → Integrations → Microsoft Entra SSO</strong>.</li>
+  <li>Enable <strong>Microsoft sign-in</strong>.</li>
+  <li>Fill in:
+    <ul>
+      <li><strong>Tenant ID</strong></li>
+      <li><strong>Client ID</strong></li>
+      <li><strong>Client Secret</strong></li>
+      <li><strong>Redirect URI</strong> (optional override, leave empty to auto-use callback URL)</li>
+      <li><strong>Allowed domain/tenant</strong> (optional restriction)</li>
+    </ul>
+  </li>
+  <li>Optional: enable <strong>Auto-provision unknown users as Viewer</strong>.</li>
+  <li>Save settings.</li>
+</ol>
+
+<h2>Step 5: Test sign-in</h2>
+<ol>
+  <li>Open <strong>/auth/login</strong> in a private/incognito browser session.</li>
+  <li>Click <strong>Sign in with Microsoft</strong>.</li>
+  <li>Authenticate with an allowed account.</li>
+  <li>Confirm you are redirected back into Backupchecks.</li>
+</ol>
+
+<h2>User mapping behavior</h2>
+<ul>
+  <li>Backupchecks first tries to match Entra user to local user by username/email.</li>
+  <li>If no match exists:
+    <ul>
+      <li>With auto-provision disabled: login is rejected.</li>
+      <li>With auto-provision enabled: a new local user is created with <strong>Viewer</strong> role.</li>
+    </ul>
+  </li>
+</ul>
+
+<h2>Troubleshooting</h2>
+<ul>
+  <li><strong>Redirect URI mismatch:</strong> ensure Entra app URI exactly matches Backupchecks callback URI.</li>
+  <li><strong>SSO button not visible:</strong> check that SSO is enabled and Tenant/Client/Secret are saved.</li>
+  <li><strong>Account not allowed:</strong> verify tenant/domain restriction in <em>Allowed domain/tenant</em>.</li>
+  <li><strong>No local user mapping:</strong> create a matching local user or enable auto-provision.</li>
+</ul>
+{% endblock %}
+