# Set up Microsoft logins

If your organization uses Microsoft work or school accounts, these can be used to log into SETLS. To set this up, an administrator may need to follow the steps below.

## Basic setup

1. Sign into the [Azure Portal](https://portal.azure.com/#home)
2. Switch to the appropriate tenant using the 'Cog' button in the top right
3. Open the **Azure Active Directory** service
4. Click **Enterprise applications** in the menu on the left
5. Click **SeTLS - Serious Toy Library Software**
    - If SeTLS is not in the list, attempt to sign into SeTLS using your Microsoft account, then come back and refresh the page. You may need to use an account with one of the 'Application Administrator' or 'Cloud Application Administrator' roles.
6. Click **Properties** in the menu on the left 
    - Set **Enabled for users to sign-in** to **Yes**

<p class="callout info">TIP: this link will take you directly to the list of [Enterprise applications](https://portal.azure.com/#view/Microsoft_AAD_IAM/StartboardApplicationsMenuBlade/~/AppAppsPreview/menuId~/null) in Azure Active Directory.</p>

## Providing consent

When using Microsoft accounts, consent must be provided to the application. This can be done:

- By the organization on behalf of all users, or specified users - this is referred to as "admin consent"
- By individual users - this is referred to as "self service"

<p class="callout info">For more information, see [Overview of user and admin consent - Microsoft Entra | Microsoft Learn.](https://learn.microsoft.com/en-gb/azure/active-directory/manage-apps/user-admin-consent-overview)</p>

### Admin consent

1. Follow steps 1-5 above to open **SeTLS - Serious Toy Library Software**
2. Click **Permissions** in the menu on the left
3. Click the **Grant admin consent for &lt;organisation&gt;** button 
    - Log in with your Microsoft account if necessary
4. Refresh the list to see the list of permissions

### Self-service

1. Follow steps 1-5 above to open **SeTLS - Serious Toy Library Software**
2. Click **Self-service** in the menu on the left
3. Set **Allow users to request access to this application** to **Yes**
4. Click **Select group** and choose an AAD group 
    - we recommend creating a dedicated group, for example "SETLS Users"
5. Set **Require approval before granting access to this application** to **Yes** if needed

<p class="callout warning">Self-service is subject to global settings found on the [Consent and permissions](https://portal.azure.com/#view/Microsoft_AAD_IAM/ConsentPoliciesMenuBlade/~/UserSettings) page.</p>