How can I configure Microsoft Entra Domain Services single sign-on for a QNAP NAS?
Last modified date:
2025-08-22
Applicable Products
- All NAS series
- QTS 5.2.7 and later versions
- QuTS hero h5.2.7 and later versions
Details
QNAP NAS supports single sign-on (SSO) with Microsoft Entra Domain Services, allowing users log in using their Microsoft Entra ID credentials. You can then manage the following for imported domain users:
- Shared folder privileges
- Domain group privileges
- Domain user storage settings
Note
Microsoft Entra Domain Services (formerly Azure AD Domain Services) is a managed cloud service that provides domain join, LDAP, Kerberos, NTLM authentication, and Group Policy without the need to deploy domain controllers. It integrates with Microsoft Entra ID so users can sign in with existing credentials, simplifying identity and access management for Azure resources and legacy apps.
Prerequisites
- A site-to-site VPN connection using Microsoft Entra
- A Microsoft Entra Domain Services domain
- A QNAP NAS running QTS 5.2.7 (or later) or QuTS hero h5.2.7 (or later)NoteTo configure SSO on multiple NAS devices, repeat the steps in this tutorial for each device.
Procedure
To enable Microsoft Entra single sign-on (SSO) on your QNAP NAS, you need to register an application in the Microsoft Entra admin center and then configure SSO settings on the NAS. After setup, users can log in with their Microsoft Entra ID credentials, and you can manage their access and storage privileges directly from the NAS.
1. Create a custom application
- Sign in to https://portal.azure.com.
- Navigate to Manage Microsoft Entra ID.
- Click App registrations.
- Click + New registration.
- Enter the registration details:
- Specify a name for the application.
- Select the account type for the API.
- Select the platform for returning the authentication URI.
- Specify the authentication URI in the following format:
https://NASIP:443/cgi-bin/loginTheme/sso/azure/main.htmlNoteReplaceNASIPin the URI with the actual NAS IP address.
- Click Register.
- On the Overview page, copy the following information:
- Application (client) ID
- Directory (tenant) ID
- Go to Manage > Authentication (Preview).
- Click Settings.
- Navigate to Implicit grant and hybrid flows.
- Enable the following:
- Access tokens (used for implicit flows)
- ID tokens (used for implicit and hybrid flows)
- Click Save.
2. Configure single sign-on settings on your NAS
- Log in to your NAS as an administrator.
- Go to Control Panel > Privilege > Domain Security.
- Click Windows AD/LDAP.
- Select AD Authentication (Domain Members).
- Click Quick Configuration Wizard or Manual Configuration.
- Configure the domain service settings. For details, see the following topics in the QTS 5.x User Guide or QuTS hero 5.x User Guide:
- Configuring AD authentication using the Quick Configuration Wizard
- Configuring AD authentication manually
- Go to Control Panel > Privilege > Domain Security > SSO.
- Select Enable Microsoft Entra single sign-on (SSO).
- Enter the copied application (client) ID in the Client ID field.
- Enter the copied directory (tenant) ID in the Tenant ID field.NoteWhen entering the Client ID or Tenant ID, ensure that it meets the following requirements:
- Exactly 36 characters in length (including hyphens)
- Contains only letters (A–Z, a–z), numbers (0-9), and hyphens(-)
- Click Apply.
3. Sign in to your QNAP NAS using Microsoft Entra ID credentials
- Enter the NAS access URL in your browser.
- On the NAS login page, click Microsoft Entra ID SSO.
The Microsoft Pick an account window appears.
- Select your Microsoft Entra ID account to log in to the NAS.
