MainBranch

Authentication & Security

SSO with Google Workspace and Microsoft Entra ID, plus two-factor enforcement.

The Authentication page is where admins configure how members sign in.

Two-factor authentication

Enforcing 2FA

Toggle Require 2FA for all members to enforce two-factor authentication across the workspace. Once on:

  • Members without 2FA are blocked from the workspace until they set it up.
  • Disabling 2FA is greyed out on their personal profile until they're un-enforced.

Enforcement status

Below the toggle, MainBranch shows X of Y members have 2FA enabled. Use this to gauge progress while rolling out enforcement.

For the user side of 2FA, see Account → Two-Factor Authentication.

Single Sign-On (SSO)

Google Workspace SSO

To set up:

  1. Click Configure on the Google Workspace card.
  2. Create an OAuth client in Google Cloud Console.
  3. Copy the redirect URI shown in the form and add it to your OAuth client's authorized redirect URIs.
  4. Enter your workspace domain — must match your company email domain (e.g. acme.com).
  5. Paste in the OAuth client ID and client secret.
  6. Save. The card shows Connected with the date and the admin who configured it.

To update credentials later, click the Connected pill and choose Update Google SSO. The domain can't be changed once set — only the credentials.

Detailed setup steps in Google Cloud Console: Security → SSO with Google Workspace.

Microsoft Entra ID SSO

To set up:

  1. Click Configure on the Microsoft card.
  2. Create an App Registration in the Azure portal.
  3. Copy the redirect URI shown in the form and add it under Authentication → Web Redirect URIs.
  4. Enter your workspace domain — must match your company email domain.
  5. Paste in the Directory (Tenant) ID, Application (Client) ID, and Client Secret.
  6. Save. The card shows Connected with the date and the admin who configured it.

To update credentials later, click the Connected pill and choose Update Microsoft SSO. The domain can't be changed once set — only the credentials.

Detailed setup steps in Azure: Security → SSO with Microsoft Entra ID.

After SSO is configured

Members signing in from your domain will be sent through your identity provider. You can still allow non-SSO sign-in methods, or restrict to SSO-only depending on your security needs.

Audit

Every SSO configuration change and every 2FA enforcement change is recorded in the audit log.

Members

Invite users, manage roles, and track who's joined.

Apps

Enable the data sources MainBranch can connect to for your workspace.

On this page

Two-factor authenticationEnforcing 2FAEnforcement statusSingle Sign-On (SSO)Google Workspace SSOMicrosoft Entra ID SSOAfter SSO is configuredAudit