Get help on Discord

Two-factor authentication options for Microsoft users in Sanity

5 replies
Last updated: Apr 2, 2020
Hi, I have a question about two-factor auth login. According to your documentation part: "Users log in to their Sanity.io  accounts using external authentication providers (currently Google Accounts and GitHub) via an OAuth 2 flow, optionally with two-factor authentication, which we strongly recommend..." I'm wondering what I should tell our customer using Microsoft services? Should they just add two factor auth on their emails and it should be just fine or is there any two-factor setting for sanity teams?
AI Update

Great question! You're right to be thinking about two-factor authentication for your Microsoft-based customers. Let me break down the authentication options available in Sanity:

Standard Authentication (Google & GitHub)

By default, Sanity users authenticate via OAuth 2 with Google or GitHub. When using these providers, the two-factor authentication happens at the provider level. So if your customer adds 2FA to their Google or GitHub account, that protection automatically applies when logging into Sanity. This is what the documentation you quoted is referring to.

Microsoft/Azure Authentication via SAML SSO

For customers using Microsoft services (Azure AD/Entra ID), Sanity offers SAML SSO as an enterprise authentication option. This allows your customer to authenticate using their Microsoft corporate identity instead of Google or GitHub.

Key points about SAML SSO:

  • Available on Business and Enterprise plans (it's a paid feature)
  • Supports Azure Active Directory/Entra ID integration
  • Allows centralized authentication management through your customer's identity provider
  • Supports automatic role mapping based on Azure AD group membership
  • Importantly: Any MFA/2FA configured in Azure AD automatically applies to Sanity logins

There's a detailed guide for setting up SAML with Azure if your customer wants to go this route.

Recommendation for Your Customer

If your customer is on a Business or Enterprise plan and wants to use their Microsoft infrastructure, SAML SSO with Azure AD is the way to go. This gives them:

  • Single sign-on with their existing Microsoft credentials
  • Whatever MFA/2FA policies they've configured in Azure AD
  • Centralized user management
  • Better security compliance for enterprise environments

If they're on a lower-tier plan or want a simpler setup, they can stick with Google/GitHub authentication and just ensure those accounts have 2FA enabled at the provider level. The security is handled by Google/GitHub's 2FA implementation.

Either way, there's no separate "Sanity-level" 2FA setting to configure—the two-factor authentication is always managed by the identity provider (Google, GitHub, or Azure AD).

Show original thread
5 replies
Should they just add two factor auth on their emails and it should be just fine
Yes. If they’re using Microsoft for auth, then that’s where 2FA should be enabled
..and the same goes for gmail and github, right?
Yes
Cool, thank's!
No problem, glad you’re getting this to work 😁

Sanity – Build the way you think, not the way your CMS thinks

Sanity is the developer-first content operating system that gives you complete control. Schema-as-code, GROQ queries, and real-time APIs mean no more workarounds or waiting for deployments. Free to start, scale as you grow.

Get started for freeExplore the demo

Was this answer helpful?