Skip to main content

Authentication

The Authentication tab in Organization Settings provides security configuration options for your DataStream organization. Administrators can configure Single Sign-On (SSO) integration with Entra ID and manage Multi-Factor Authentication (MFA) requirements for all users.

To access authentication settings:

  1. Click the hamburger menu on the top left
  2. Select Organization > Settings
  3. Click the Authentication tab

Single Sign-On

The Single Sign-On section allows administrators to integrate DataStream with Entra ID authentication systems, enabling users to access DataStream using their existing organizational credentials.

SSO Configuration

VirtualMetric DataStream single sign-on integration allows users with existing Entra ID accounts to access DataStream without creating separate credentials. Users authenticate through their organization's Entra ID system and gain access to DataStream based on their assigned roles and permissions.

Enable SSO for Tenant

  1. Navigate to Organization Settings

    • Access the Organization menu from the cloud interface
    • Select Tenant Settings

  2. Configure Authentication Type

    • Locate the Authentication section
    • Set Auth Type to OAuth
    • Enable the SSO Enabled toggle

  3. Entra ID Configuration

    • OAuth Config: Enter your Entra ID application configuration
      • client_id: Entra ID application client ID
      • client_secret: Entra ID application client secret
      • tenant_id: Entra ID tenant identifier
      • redirect_uri: VirtualMetric callback URL
    • OAuth Scope: Specify required permissions (e.g., openid profile email)

Entra ID Application Setup

Prerequisites: Entra ID administrator access required.

  1. Register Application

    • Navigate to Azure Portal > Entra ID > App registrations
    • Create new registration with appropriate redirect URI
    • Note the Application (client) ID and Directory (tenant) ID

  2. Configure Authentication

    • Add platform configuration for web application
    • Set redirect URI to your VirtualMetric tenant URL
    • Enable ID tokens and access tokens

  3. Create Client Secret

    • Navigate to Certificates & secrets
    • Create new client secret
    • Copy the secret value immediately

User Access Management

When SSO is enabled, users with Entra ID accounts can access DataStream directly without requiring separate VirtualMetric user accounts. Entra ID handles both authentication and provides user identity information to DataStream for access control.

When SSO is disabled, users must have dedicated VirtualMetric DataStream user accounts with username/password authentication to access the system.

Disable SSO

  1. Navigate to Tenant Settings
  2. Disable the SSO Enabled toggle
  3. Users will revert to VirtualMetric username/password authentication

Multi-Factor Authentication

The Multi-Factor Authentication section allows administrators to configure MFA requirements for all users in the organization. MFA adds an extra layer of security by requiring users to verify their identity using a second factor beyond their password.

MFA Methods

DataStream supports two MFA methods:

MethodDescription
EmailA 6-digit one-time password is sent to the user's registered email address. Codes expire after 2 minutes.
Authenticator AppUsers scan a QR code with an authenticator app (such as Google Authenticator, Microsoft Authenticator, or Authy) and enter the 6-digit time-based code.

Configure Organization MFA Settings

Administrators with the MFA_EDIT permission can configure which MFA methods are available to users and whether MFA is enforced organization-wide.

  1. Navigate to Organization > Settings > Authentication
  2. In the Multi-Factor Authentication section, click Manage
  3. Select the allowed MFA methods:
    • Email - Enable email-based one-time passwords
    • Authenticator App - Enable time-based one-time passwords (TOTP)
  4. Configure enforcement:
    • Enable the Enforce MFA toggle to require all users to set up MFA
    • When enforcement is enabled, users must configure MFA on their next login
  5. Click Save Changes
warning

Removing an MFA method that users have already configured will require those users to set up a new method on their next login.

note

At least one MFA method must be selected. You cannot save the configuration with no methods enabled.

MFA Enforcement

When MFA enforcement is enabled:

  • Users who have not configured MFA will be prompted to set it up on their next login
  • Users must complete MFA setup before accessing DataStream
  • The setup wizard guides users through method selection, verification, and backup code generation

When MFA enforcement is disabled:

  • MFA setup becomes optional for users
  • Users can enable or disable MFA from their Account Settings
  • Existing MFA configurations remain active
important

Disabling MFA enforcement does not disable MFA for users who have already configured it. Users retain their existing MFA settings and can manage them through Account Settings.

User MFA Setup

When MFA is enforced or when users choose to enable MFA, the setup process includes:

  1. Method Selection - Choose between Email or Authenticator App (based on organization-allowed methods)
  2. Verification - Complete initial verification:
    • For Email: Click Send to receive a code, then enter the 6-digit code
    • For Authenticator App: Scan the QR code with your app, then enter the 6-digit code
  3. Backup Codes - Save the generated backup codes for account recovery

Backup Codes

After MFA setup, users receive a set of backup codes. These single-use codes allow account access if the primary MFA method is unavailable.

  • Backup codes are displayed once during setup and can be copied or downloaded as a text file
  • Each code can only be used once
  • Users can reset their backup codes from Account Settings, which invalidates all previous codes
warning

Using a backup code triggers a mandatory MFA re-setup. Users must configure a new MFA method immediately after using a backup code to sign in.

MFA Challenge at Login

When a user with MFA enabled signs in, they are prompted to verify their identity:

  • Email method: Enter the 6-digit code sent to the registered email
  • Authenticator App method: Enter the current 6-digit code from the app
  • Fallback options: If the primary method is unavailable, users can request an email code or use a backup code

User MFA Management

Individual users can manage their MFA settings from Account Settings > Authentication:

  • Enable/Disable MFA - Turn MFA on or off for their account (when not enforced)
  • Change Method - Switch between Email and Authenticator App
  • Reset Backup Codes - Generate new backup codes (invalidates previous codes)