Authentication
The Authentication tab in Organization Settings provides security configuration options for your DataStream organization. Administrators can configure Single Sign-On (SSO) integration with Entra ID and manage Multi-Factor Authentication (MFA) requirements for all users.
To access authentication settings:
- Click the hamburger menu on the top left
- Select Organization > Settings
- Click the
Authentication tab
Single Sign-On
The Single Sign-On section allows administrators to integrate DataStream with Entra ID authentication systems, enabling users to access DataStream using their existing organizational credentials.
SSO Configuration
VirtualMetric DataStream single sign-on integration allows users with existing Entra ID accounts to access DataStream without creating separate credentials. Users authenticate through their organization's Entra ID system and gain access to DataStream based on their assigned roles and permissions.
Enable Single Sign-On
- Navigate to Organization > Settings and open the
Authentication tab. - In the Single Sign-On section, click
Set up Single Sign-On . - In the modal, the SSO provider is preset to Microsoft Entra ID (read-only). Complete the form:
| Field | Description |
|---|---|
| Redirect URI | The VirtualMetric callback URL, shown read-only with a copy control — register it in your Microsoft Entra application |
| Client ID | Microsoft Entra application (client) ID |
| Tenant ID | Microsoft Entra directory (tenant) ID |
| Client Secret | Microsoft Entra application client secret |
- Save the configuration. On success, users can sign in with their Microsoft Entra accounts.
Manage SSO Configuration
Once SSO is enabled, the section shows the connection state. Click
Entra ID Application Setup
Prerequisites: Entra ID administrator access required.
-
Register Application
- Navigate to Azure Portal > Entra ID > App registrations
- Create new registration with appropriate redirect URI
- Note the Application (client) ID and Directory (tenant) ID
-
Configure Authentication
- Add platform configuration for web application
- Set redirect URI to your VirtualMetric tenant URL
- Enable ID tokens and access tokens
-
Create Client Secret
- Navigate to Certificates & secrets
- Create new client secret
- Copy the secret value immediately
User Access Management
When SSO is enabled, users with Entra ID accounts can access DataStream directly without requiring separate VirtualMetric user accounts. Entra ID handles both authentication and provides user identity information to DataStream for access control.
When SSO is disabled, users must have dedicated VirtualMetric DataStream user accounts with username/password authentication to access the system.
Remove Single Sign-On
- Navigate to Organization > Settings and open the
Authentication tab. - Click
Manage SSO configuration . - Click
Remove Single Sign-On and confirm. - Users revert to VirtualMetric username/password authentication.
Multi-Factor Authentication (MFA)
The Multi-Factor Authentication section allows administrators to configure MFA requirements for all users in the organization. MFA adds an extra layer of security by requiring users to verify their identity using a second factor beyond their password.
MFA Methods
DataStream supports two MFA methods:
| Method | Description |
|---|---|
| Users authenticate with a security passcode sent by email. The UI notes this factor offers a low level of security. | |
| TOTP | Users authenticate with a time-based one-time passcode from an authenticator app (such as Google Authenticator, Microsoft Authenticator, or Authy). The UI notes this factor offers a medium level of security. |
Configure Organization MFA Settings
Administrators with the MFA_EDIT permission can configure which MFA methods are available to users and whether MFA is enforced organization-wide.
- Navigate to Organization > Settings >
Authentication - In the Multi-Factor Authentication (MFA) section, click
Manage MFA configuration - Under Authentication Methods, select the allowed MFA methods:
- Email - Enable email-based passcodes
- TOTP - Enable time-based one-time passcodes from an authenticator app
- Under Enforce Multi-Factor Authentication, configure enforcement:
- Enable the
Enforce MFA toggle to require all users to set up MFA - When enforcement is enabled, users must configure MFA on their next login
- Enable the
- Click
Save changes
Removing an MFA method that users have already configured will require those users to set up a new method on their next login.
At least one MFA method must be selected. You cannot save the configuration with no methods enabled.
MFA Enforcement
When MFA enforcement is enabled:
- Users who have not configured MFA will be prompted to set it up on their next login
- Users must complete MFA setup before accessing DataStream
- The setup wizard guides users through method selection, verification, and backup code generation
When MFA enforcement is disabled:
- MFA setup becomes optional for users
- Users can enable or disable MFA from their Account Settings
- Existing MFA configurations remain active
Disabling MFA enforcement does not disable MFA for users who have already configured it. Users retain their existing MFA settings and can manage them through Account Settings.
User MFA Setup
The following flows take place in the user's own sign-in and Account Settings surfaces, not in the Organization > Settings tab.
When MFA is enforced or when users choose to enable MFA, the setup process includes:
- Method Selection - Choose between Email or TOTP (based on organization-allowed methods)
- Verification - Complete initial verification:
- For Email: Click
Send to receive a code, then enter the code - For TOTP: Scan the QR code with your authenticator app, then enter the code
- For Email: Click
- Backup Codes - Save the generated backup codes for account recovery
Backup Codes
After MFA setup, users receive a set of backup codes. These single-use codes allow account access if the primary MFA method is unavailable.
- Backup codes are displayed once during setup and can be copied or downloaded as a text file
- Each code can only be used once
- Users can reset their backup codes from Account Settings, which invalidates all previous codes
Using a backup code triggers a mandatory MFA re-setup. Users must configure a new MFA method immediately after using a backup code to sign in.
MFA Challenge at Login
When a user with MFA enabled signs in, they are prompted to verify their identity:
- Email method: Enter the code sent to the registered email
- TOTP method: Enter the current code from the authenticator app
- Fallback options: If the primary method is unavailable, users can request an email code or use a backup code
User MFA Management
Individual users can manage their MFA settings from Account Settings > Authentication:
- Enable/Disable MFA - Turn MFA on or off for their account (when not enforced)
- Change Method - Switch between Email and TOTP
- Reset Backup Codes - Generate new backup codes (invalidates previous codes)