How to connect Dropbox with Microsoft Azure AD

Updated Nov 24, 2023

The Dropbox integration with Microsoft Azure AD helps you manage your Dropbox team account centrally through Microsoft Azure AD. When you use Dropbox with Microsoft Azure AD, you can:

  • Configure single sign-on (SSO) for your Dropbox team account
  • Manage provisioning and deprovisioning Dropbox team members users through Azure AD

Requirements

  • An admin account on Dropbox team
  • A Microsoft Azure subscription
  • An Azure AD user account with a valid email address

There are several steps to set up SSO and user provisioning between Dropbox team and Microsoft Azure. Go through each section of this article in order to set up provisioning and SSO.

If you don't want to set up SSO, stop after Provision users to your Dropbox Business team.

highlighter icon

Note: The steps in this article use the current Microsoft Azure Portal. 

How to add Dropbox to Microsoft Azure

First, add the Dropbox team integration to Microsoft Azure:

  1. Log in to the Microsoft Azure Portal.
  2. Click Azure Active Directory.
  3. Click Enterprise Applications.
  4. Click New Application.
  5. Choose Dropbox for Business from the All category.
  6. Click Add.

On March 18, the Dropbox for Business application was replaced with an updated version. If you'd like to update to the newer version, follow these instructions for migrating a legacy Dropbox app.

How to create your test user

It’s best to set up SSO and provisioning using a Microsoft Azure test user. You can make sure everything works the way you want before users join your Dropbox team.

Your test user must have a valid email address with an email inbox you can access.

Follow these steps to set up your test user:

  1. In the Microsoft Azure Portal, navigate to Quick Start.
  2. Click Assign a user for testing (required).  
  3. Click Add user and select a user or users for testing.  
  4. Save your selection.  
  5. On the Quick Start page, click Create your test user in Dropbox for Business (required).  
  6. Select Provisioning Mode: Automatic.
  7. Click Authorize.
  8. You’re redirected to dropbox.com. Click Allow to authorize Microsoft Azure AD as a Dropbox team app.
  9. Click Test Connection to verify that Azure AD was successfully authorized.

How to provision users to your Dropbox team account

Choose how you want to provision users to your Dropbox team account. You can either:

  • Automatically provision users through Microsoft Azure
  • Provision users manually through the Dropbox admin console
  1. From the Quick Start page in the Microsoft Azure Portal, select Create your test user in Dropbox for Business (required).
  2. Under Provisioning Status, select:
    • On: Automatically provision users from Microsoft Azure to your Dropbox team account
    • Off: Manually provision users through the Dropbox console
  3. Set Scope
    • Sync only the assigned users and groups (Recommended): you assign Dropbox to certain users. Only the users you assign to Dropbox are provisioned to your Dropbox team.
    • Sync all users and groups: all users and groups on your Microsoft Azure team are provisioned to your Dropbox team.
  4. Click Save.

If Provisioning Status is set to On:

  • Any users you provision appear in the Members page of the Dropbox admin console. Users must accept an invitation to your team. They appear under either the Active or Invited filters.
  • Beneath the members list, you can see Members managed by Windows Azure AD.

If Provisioning Status is set to Off:

  • You can invite users to your team through the Dropbox admin console.

How to sync groups from Azure

To sync Groups in Azure, you must have an Azure AD Premium subscription. 

The same groups you have with ADD can sync into Dropbox with the newest version of the Azure Connector. 

Configure single sign-on for your Dropbox team account

To use Microsoft Azure as a single sign-on (SSO) provider for your Dropbox team account, configure SSO in both apps. 

To connect Dropbox Business and Microsoft Azure, you need:

  • A unique sign-in URL from Dropbox
  • A unique sign-in URL from Microsoft Azure
  • A unique sign-out URL from Microsoft Azure
  • A 509 certificate from Microsoft Azure

It’s easiest if you keep both dropbox.com and the Microsoft Azure Portal open in your web browser.

On dropbox.com, copy the SSO sign-in URL:

  1. Log in to dropbox.com with your admin credentials.
  2. Click Admin Console.
  3. Click Settings.
  4. Click Single Sign-On.
  5. Under SSO sign-in URL, choose Copy link. You’ll need this URL in Microsoft Azure. 

Next, you’ll move to the Microsoft Azure Portal and make sure that your settings are correct for Dropbox Business:

  1. Log in to the Microsoft Azure Portal.
  2. Choose the Dropbox team app.
  3. On the Quick Start page, click Configure single sign-on (required).
  4. Set Mode to SAML-based Sign-on.
  5. Paste the URL copied from the Dropbox Business admin console into the Sign on URL field.
  6. In the Identifier field enter Dropbox.
  7. In the Reply URL field enter https://www.dropbox.com/saml_login.
  8. Click Certificate (Base64) to download and save the SAML Signing Certificate.
  9. Click Configure Dropbox for Business to open the configuration guide. Copy the Azure AD Single Sign-On Service URL and Azure AD Sign-Out URL. Keep these URLs available, you’ll need these URLs to finish configuring the integration.
  10. Click Save.

Now that your settings are correct in the Microsoft Azure Portal, enable SSO in Dropbox:

  1. Log in to dropbox.com with your admin credentials.
  2. Click Admin Console.
  3. Click Settings.
  4. Click Single Sign-On.
  5. In the Single sign-on box:
    • Set SSO to Optional during testing phase. Optional allows users to use either SSO or their username and password when logging in.
    • Set SSO to Required once testing is complete to enforce SSO. Admins will always have the option of using a username and password when logging in.
  6. Next to Identity provider sign-in URL, paste the Azure AD Single Sign-On Service URL provided by Microsoft Azure.
  7. Next to Identity provider sign-out URL (optional), paste the Azure AD Sign-Out URL provided by Microsoft Azure
  8. Click Choose Certificate and upload the SAML Signing Certificate downloaded from Microsoft Azure. 
  9. Click Save Changes.

Test single sign-on

Check that SSO is set up correctly by testing the connection between Dropbox Business and Microsoft Azure.

Log out of your Dropbox team admin account and try signing in as your test team member using SSO:

  1. If you’re logged in to your admin account on dropbox.com, click your avatar and choose Sign out.
  2. Log in to dropbox.com using a user assigned for testing in Azure AD.  
  3. Click Continue.
  4. You’re redirected to the Microsoft Login Portal. Enter the user Azure AD username and password.  
  5. You’re redirected back to dropbox.com and are signed in to that user account.

Assign Dropbox Business to users

If everything’s set up and your test is successful, it’s time to give your users access to Dropbox teams. Assign Dropbox Business to each user or group that needs to use Dropbox Business.

If you assign Dropbox Business to a user, SSO is enabled, and provisioning is automatic, then:

  • The assigned user is provisioned in Dropbox and they receive an invite to the Dropbox Business team.
  • After they join the team, they can log in using SSO.

To assign Dropbox Business to users or groups, navigate to the Microsoft Azure Portal:

  1. Log in to the Microsoft Azure Portal.
  2. Click Deploy single sign-on to users and groups (recommended)
  3. You’re directed to Users and groups where you can assign users Dropbox Business access, either individually or as a group. 

Users that you don’t assign Dropbox Business to aren’t automatically provisioned and can’t use SSO.

Was this article helpful?

Let us know how why it didn't help:

Thanks for letting us know!

Thanks for your feedback!

Other ways to get help