Skip to main content

Documentation Index

Fetch the complete documentation index at: https://help.avoca.ai/llms.txt

Use this file to discover all available pages before exploring further.

Overview

Single Sign-On (SSO) lets your users sign in to Avoca with the same identity provider (IdP) they already use for the rest of your business, such as Microsoft Entra ID (Azure AD) or Google Workspace. Setup is self-serve — an admin verifies a domain, links the identity provider, and (optionally) enforces SSO-only sign-in for the team or enterprise.
SSO is an enterprise feature and is typically reserved for larger accounts. If you’re not sure whether SSO is enabled on your plan, reach out to your CSM before getting started.

Where to configure SSO

SSO can be set up in two places, depending on how your account is structured:
  • Team-level SSO — for an individual team
    • Go to Settings → Business Info → Members → Single Sign On
  • Enterprise-level SSO — for an entire enterprise, with the ability to toggle SSO on/off per team
    • Go to Settings → Members → Single Sign On
If you operate multiple teams under one enterprise, we recommend configuring SSO at the enterprise level so that every team inherits the same identity provider and policies.

What you can do with SSO

  • Self-serve setup — an admin can verify a domain and link an identity provider in just a few clicks, no Avoca support ticket required.
  • Multiple domains per team or enterprise — add as many verified domains as you need (for example, yourcompany.com and getyourcompany.com).
  • Supports major identity providers — Microsoft Entra ID (Azure AD) is the most common, and Google and several other providers are also supported behind the scenes.
  • Optional enforcement — lock sign-in so users on your verified domains can only sign in with SSO.

Before you start

Make sure you have:
  • Admin access in Avoca for the team or enterprise you want to configure.
  • Admin access in your identity provider (for example, Microsoft Entra ID or Google Workspace) so you can approve the connection.
  • DNS access for the domain you plan to verify, so you can add the verification record.

Step 1: Open the SSO settings

1

Navigate to Single Sign On

  • For an individual team: go to Settings → Business Info → Members → Single Sign On.
  • For an enterprise: go to Settings → Members → Single Sign On.
2

Start a new SSO configuration

Click into the Single Sign On section to begin adding a domain and identity provider.

Step 2: Add and verify your domain

1

Add your domain

Enter the email domain your users sign in with (for example, yourcompany.com).
2

Add the verification record to DNS

Avoca will display a DNS record you need to add at your domain registrar (such as GoDaddy, Cloudflare, or Namecheap). Add the record exactly as shown.
3

Verify the domain

Once the DNS record has propagated, click Verify in Avoca. Verification can take a few minutes depending on your DNS provider.
4

(Optional) Add additional domains

You can attach multiple domains to a single team or enterprise. Repeat the steps above for each domain you want to include (for example, both yourcompany.com and getyourcompany.com).
Once your domain is verified, link the identity provider your team uses to sign in.
1

Choose your identity provider

Select your provider — for example, Microsoft (Entra ID / Azure AD) or Google.
2

Authorize the connection

You’ll be redirected to your identity provider to approve the connection. Sign in as an admin and accept the requested permissions.
3

Confirm the connection

Once approved, you’ll be returned to Avoca and the identity provider will be shown as linked.
Microsoft is the most rigorously tested provider since it covers the majority of Avoca customers, but Google and several other providers work through the same flow.

Step 4: (Optional) Enforce SSO

By default, users on your verified domains can sign in with SSO, but they can still use email/password. If you’d like to require SSO for everyone on your domain:
1

Open the SSO settings

Return to Single Sign On in your team or enterprise settings.
2

Enable enforcement

Toggle on Enforce SSO. Once enabled, users on your verified domains will only be able to sign in via your linked identity provider.
Before enforcing SSO, confirm that every active user in your team or enterprise is provisioned in your identity provider. Users without an account in your IdP will lose access once enforcement is enabled.

Managing SSO at the enterprise level

If you’re set up at the enterprise level, you can toggle SSO on or off per team within the enterprise. This is useful if you’re rolling SSO out gradually or have teams that should remain on email/password sign-in.

Video walkthrough

The video below walks through the basic SSO flows using Microsoft as the identity provider.

Frequently asked questions

SSO is an enterprise-level feature. If you’re unsure whether it’s enabled on your account, reach out to your CSM.
Microsoft Entra ID (Azure AD) is the most commonly used and most thoroughly tested. Google and several other providers are also supported.
Yes. You can attach multiple verified domains to a single team or enterprise — for example, both your primary domain and any secondary or testing domains.
Yes. You can enforce SSO at your discretion, which restricts users on your verified domains to signing in only via your linked identity provider.
SSO is self-serve. An admin can verify a domain, link an identity provider, and enable enforcement directly from the dashboard — no support ticket required.
Team-level SSO applies to a single team. Enterprise-level SSO applies across the whole enterprise and lets you toggle SSO on or off for each team underneath it.
Last modified on May 29, 2026