Enterprise Features

Streamwell offers an Enterprise License option that enables Single Sign-On for advanced and higher-scale user management. Our first supported identity provider is Microsoft Azure AD (Soon to become Entra ID), and we plan to add support for other providers soon.
If you are interested in support for a particular provider, let us know!

Configuring Azure/Entra AD for Streamwell

Before you begin, make sure you have activated an Enterprise License and HTTPS on your server.
Log in to Microsoft Azure and create an App Registration in your directory. Streamwell only uses the 'User.Read' permission so no consents or special scopes are required. This also means Streamwell can be used entirely within the free tier of Microsoft Azure!
In most cases you'll want to use the default Single Tenant setting but you may choose another setting if appropriate for your organization.
Be sure to set your Web Redirect URI to your HTTPS-secured domain name followed by "/api/auth.php". For example, "".
Once the application has been created, take note of the Client ID and Tenant ID from the overview screen.
Under Certificates & Secrets, create a new Client Secret and take note of the value.
Finally, either create or designate groups for the three possible roles: Admins, Creators and Clients. Take note of the applicable group IDs (you can map multiple groups to a role). When users log into Streamwell, which group they are in determines which role they will get.

Enabling SSO in Streamwell

Under Administration -> Server -> Features, an 'Enable Single Sign-On' option will appear if you have an Enterprise License. With this option enabled, paste in the appropriate IDs and secret from the previous steps, then hit 'Confirm'. If you want to map multiple groups to a role, separate the IDs with a comma e.g. "myid-1,myid-2,my-id-3".
On the log-in screen, a fresh new "Sign in with Microsoft" button will appear. You can now go through your regular SSO workflow and sign into Streamwell! 🎉

Custom User IDs

Enterprise Licenses let you customize the user ID either when creating or editing a user. This means you can map existing Streamwell users to SSO users just by updating their ID - or you can pre-provision accounts and permissions in Streamwell so the new users can just log in and go.

SSO User Sync / Cleanup

Click this button and Streamwell will automatically check all local SSO users against Azure to make sure they still exist. Any users which don't exist on Azure will be removed from the local database.

Additional Notes

  • Users with no matching AD group will automatically take a client role. If no channels have the "Allow all Clients" option enabled, the new user will have no channels available until access is granted by an admin.
  • Users in multiple AD groups will take the highest permission level available to them.
  • If a user is removed from a creator or admin group on Azure, they will be demoted to being client on the next login.
  • Groups in Streamwell do not relate to groups on Azure. They are simply a means of grouping users together to allow/disallow access to channels en masse.
  • Don't forget to update your client secret before it expires!