Skip to main content

Authentication

The Authentication tab in Organization Settings provides security configuration options for your DataStream organization. Administrators can configure Single Sign-On (SSO) integration with Entra ID and manage Multi-Factor Authentication (MFA) requirements for all users.

To access authentication settings:

  1. Click the hamburger menu on the top left
  2. Select Organization > Settings
  3. Click the Authentication tab

Single Sign-On

The Single Sign-On section allows administrators to integrate DataStream with Entra ID authentication systems, enabling users to access DataStream using their existing organizational credentials.

SSO Configuration

VirtualMetric DataStream single sign-on integration allows users with existing Entra ID accounts to access DataStream without creating separate credentials. Users authenticate through their organization's Entra ID system and gain access to DataStream based on their assigned roles and permissions.

Enable Single Sign-On

  1. Navigate to Organization > Settings and open the Authentication tab.
  2. In the Single Sign-On section, click Set up Single Sign-On.
  3. In the modal, the SSO provider is preset to Microsoft Entra ID (read-only). Complete the form:
FieldDescription
Redirect URIThe VirtualMetric callback URL, shown read-only with a copy control — register it in your Microsoft Entra application
Client IDMicrosoft Entra application (client) ID
Tenant IDMicrosoft Entra directory (tenant) ID
Client SecretMicrosoft Entra application client secret
  1. Save the configuration. On success, users can sign in with their Microsoft Entra accounts.

Manage SSO Configuration

Once SSO is enabled, the section shows the connection state. Click Manage SSO configuration to enter edit mode, where the Client ID, Tenant ID, and Client Secret fields become editable. Apply with Save changes or discard with Cancel.

Entra ID Application Setup

Prerequisites: Entra ID administrator access required.

  1. Register Application

    • Navigate to Azure Portal > Entra ID > App registrations
    • Create new registration with appropriate redirect URI
    • Note the Application (client) ID and Directory (tenant) ID
  2. Configure Authentication

    • Add platform configuration for web application
    • Set redirect URI to your VirtualMetric tenant URL
    • Enable ID tokens and access tokens
  3. Create Client Secret

    • Navigate to Certificates & secrets
    • Create new client secret
    • Copy the secret value immediately

User Access Management

When SSO is enabled, users with Entra ID accounts can access DataStream directly without requiring separate VirtualMetric user accounts. Entra ID handles both authentication and provides user identity information to DataStream for access control.

When SSO is disabled, users must have dedicated VirtualMetric DataStream user accounts with username/password authentication to access the system.

Remove Single Sign-On

  1. Navigate to Organization > Settings and open the Authentication tab.
  2. Click Manage SSO configuration.
  3. Click Remove Single Sign-On and confirm.
  4. Users revert to VirtualMetric username/password authentication.

Multi-Factor Authentication (MFA)

The Multi-Factor Authentication section allows administrators to configure MFA requirements for all users in the organization. MFA adds an extra layer of security by requiring users to verify their identity using a second factor beyond their password.

MFA Methods

DataStream supports two MFA methods:

MethodDescription
EmailUsers authenticate with a security passcode sent by email. The UI notes this factor offers a low level of security.
TOTPUsers authenticate with a time-based one-time passcode from an authenticator app (such as Google Authenticator, Microsoft Authenticator, or Authy). The UI notes this factor offers a medium level of security.

Configure Organization MFA Settings

Administrators with the MFA_EDIT permission can configure which MFA methods are available to users and whether MFA is enforced organization-wide.

  1. Navigate to Organization > Settings > Authentication
  2. In the Multi-Factor Authentication (MFA) section, click Manage MFA configuration
  3. Under Authentication Methods, select the allowed MFA methods:
    • Email - Enable email-based passcodes
    • TOTP - Enable time-based one-time passcodes from an authenticator app
  4. Under Enforce Multi-Factor Authentication, configure enforcement:
    • Enable the Enforce MFA toggle to require all users to set up MFA
    • When enforcement is enabled, users must configure MFA on their next login
  5. Click Save changes
warning

Removing an MFA method that users have already configured will require those users to set up a new method on their next login.

note

At least one MFA method must be selected. You cannot save the configuration with no methods enabled.

MFA Enforcement

When MFA enforcement is enabled:

  • Users who have not configured MFA will be prompted to set it up on their next login
  • Users must complete MFA setup before accessing DataStream
  • The setup wizard guides users through method selection, verification, and backup code generation

When MFA enforcement is disabled:

  • MFA setup becomes optional for users
  • Users can enable or disable MFA from their Account Settings
  • Existing MFA configurations remain active
important

Disabling MFA enforcement does not disable MFA for users who have already configured it. Users retain their existing MFA settings and can manage them through Account Settings.

User MFA Setup

The following flows take place in the user's own sign-in and Account Settings surfaces, not in the Organization > Settings tab.

When MFA is enforced or when users choose to enable MFA, the setup process includes:

  1. Method Selection - Choose between Email or TOTP (based on organization-allowed methods)
  2. Verification - Complete initial verification:
    • For Email: Click Send to receive a code, then enter the code
    • For TOTP: Scan the QR code with your authenticator app, then enter the code
  3. Backup Codes - Save the generated backup codes for account recovery

Backup Codes

After MFA setup, users receive a set of backup codes. These single-use codes allow account access if the primary MFA method is unavailable.

  • Backup codes are displayed once during setup and can be copied or downloaded as a text file
  • Each code can only be used once
  • Users can reset their backup codes from Account Settings, which invalidates all previous codes
warning

Using a backup code triggers a mandatory MFA re-setup. Users must configure a new MFA method immediately after using a backup code to sign in.

MFA Challenge at Login

When a user with MFA enabled signs in, they are prompted to verify their identity:

  • Email method: Enter the code sent to the registered email
  • TOTP method: Enter the current code from the authenticator app
  • Fallback options: If the primary method is unavailable, users can request an email code or use a backup code

User MFA Management

Individual users can manage their MFA settings from Account Settings > Authentication:

  • Enable/Disable MFA - Turn MFA on or off for their account (when not enforced)
  • Change Method - Switch between Email and TOTP
  • Reset Backup Codes - Generate new backup codes (invalidates previous codes)