Nylon supports Single Sign-On (SSO) via Microsoft Entra ID, using the OpenID Connect (OIDC) protocol.
This lets your users sign in to Nylon with their existing Microsoft work accounts, no password required.
How it works
Once SSO is enabled for your organisation:
Users click "Sign in with Microsoft" on the Nylon login page.
They authenticate with their usual Microsoft credentials (including MFA if your organisation requires it).
They are signed in to Nylon automatically.
No per-user provisioning is required.
Any user in your Microsoft tenant can sign in once your IT admin has completed setup.
Application details
If your organisation uses Conditional Access policies, an application allowlist, or requires verification before granting admin consent, you can use the following details to identify the Nylon application in Microsoft Entra:
Field | Value |
Application name |
|
Application (Client) ID |
|
Supported account types | Any Microsoft work or school account |
Authentication method | OpenID Connect (OIDC) |
What Nylon requests from Microsoft
Nylon requests a small set of delegated permissions only, the app can only access the logged in user's own data while they are actively signing in.
Permission | What it's used for |
| Confirms the user's identity — required for sign-in |
| Reads the user's name and display name |
| Reads the user's email address |
| Reads the signed-in user's basic Microsoft profile |
Nylon does not request any application permissions.
This means it cannot access your directory, read other users' data, or take any action without a user actively present.
What data does Nylon store?
Nylon stores only the minimum information needed to identify your account across sessions:
Your name and email address
A Microsoft user identifier (used to link your account on future sign-ins)
Nylon does not store access tokens, refresh tokens, passwords, or any other Microsoft data.
How to enable SSO for your organisation
Enabling Microsoft SSO for your organisation takes two steps:
Step 1 — Admin consent
A Global Administrator in your Microsoft Entra tenant needs to grant consent to the Nylon application. This is a standard one-time approval that allows users in your organisation to sign in.
You can do this by visiting the Nylon login page, clicking "Sign in with Microsoft", and completing the admin consent prompt when it appears. You only need to do this once.
Step 2 (Optional Enterprise) — Send us your Tenant ID
Once admin consent is granted, send your Microsoft Tenant ID to the Nylon support team. You can find this in the Azure Portal → Microsoft Entra ID → Overview page.
Our team will configure the SSO mapping on our side. This typically takes one business day. Once confirmed, your users can sign in immediately.
Common questions
Do you support SAML?
Not currently. Nylon uses OIDC (OpenID Connect), which is the modern successor to SAML and is supported by Microsoft Entra, Okta, Google Workspace, and all major identity providers. The end-user experience is identical — users click "Sign in with Microsoft" and authenticate with their usual credentials.
If SAML is a hard requirement for your organisation due to a specific compliance policy, please get in touch and we can discuss your situation.
Can Nylon access other users in our directory?
No. The only permission that touches user data is User.Read, which is a delegated permission — it can only read the profile of the person who is actively signing in. Nylon has no access to other users, groups, emails, calendars, or any other tenant-wide resources.
Does Nylon use application permissions?
No. All permissions are delegated. Application permissions (which allow an app to act without a user present and can access tenant-wide data) are not requested by Nylon.
What happens if a user leaves our organisation?
When a user's Microsoft account is disabled or removed, they will no longer be able to sign in to Nylon via SSO. Their existing Nylon account and data are not automatically deleted — please contact us if you need an account removed.
Can individual users still use a password instead of SSO?
If your organisation has SSO enabled, users will still see the "Sign in with Microsoft" option. Password-based login remains available unless you specifically request that it be disabled for your domain. Contact support if you'd like password login disabled for your organisation.
