Enter your idea

Hi Kelly,

I am writing to formally raise and consolidate my concerns regarding Xero’s current position on Microsoft Entra ID (formerly Azure AD) Single Sign-On, and to seek clarity on both delivery timelines and next steps.

The request for native Entra ID SSO has now attracted 614 votes. Based on industry norms, the average Xero firm has around 10 employees, meaning this issue is conservatively affecting over 6,000 individual users. These are real people accessing highly sensitive financial data without the benefit of centralised identity management, conditional access policies, or proper lifecycle control.

From a security, governance, and risk-management perspective, that scale is material.

Without native Entra ID SSO, firms are forced to rely on fragmented login controls and manual processes, increasing exposure to:

Orphaned access when staff leave

Inability to enforce conditional access or MFA policies consistently

Greater susceptibility to credential compromise

This is a preventable risk, and one that is increasingly difficult to justify in a platform positioned as market-leading and enterprise-ready. Frankly, it is embarrassing that a company of Xero’s standing still lacks a baseline identity feature that is now standard practice across professional services and regulated industries.

It is also important to note that this thread has been ongoing for over four years. An update was shared last year indicating that your product team was working with a small group of partners, however there has been no substantive follow-up since. There is still no clarity on scope, progress, or even an indicative timeframe. From the outside, this gives the impression that the issue has stalled, despite continued demand and engagement.

The retention impact is already being felt. I am personally aware of firms that have moved away from Xero specifically due to the absence of proper SSO and identity controls. This is not hypothetical dissatisfaction; it is translating into real churn. If this remains unresolved, I would realistically expect to be among those reconsidering platform alignment. That would be a commercial decision driven by security requirements, not sentiment.

Within the next six months, our firm is on track to reach Platinum Partner status. As a rapidly scaling firm deeply invested in the Xero ecosystem, it is disappointing that the very firms Xero wishes to retain long term are currently the most constrained by this limitation.

To move this forward constructively, I would genuinely welcome direct engagement. I would be happy to either host you and your team at our offices, or to come down to yours with our Head of IT, so we can walk through the real-world security, onboarding, and access-control challenges this creates and help drive this towards a practical resolution. A short, focused discussion between product, security, and real users could achieve far more than years of forum updates.

I would appreciate clarity on the following:

Confirmation that Entra ID SSO will be delivered as a native integration, not a workaround

Whether there is any indicative delivery window (even at a high level, such as quarters)

Whether firms outside the current limited partner group can participate in testing or discovery

Xero sits at the centre of firms’ financial ecosystems. Identity and access management should reflect that level of responsibility and maturity. We want to continue building with Xero long term, but that commitment must align with modern security standards.

I look forward to your response.

This is ridiculous. I'm going to switch to quickbooks because of this missing feature.

Anyone seeking cyber certification such as iso27001 or even insurance it increasingly going to need to justify why there isn’t another solution to use.
Simply why given the simplicity of implementation.

SSO is a minimum requirement for most enterprise organisations for any SaaS application.

Xero, I find it unforgiving to not have this feature enabled in a modern SaaS application. By the time of voting for this enhancement, there's 611 votes, if each one of these represent a company with 10 users, we're already enhancing the authentication of over 6100 users. Is that not reason enough to develop this feature?

The exemption for using Xero in my enterprise expires soon. If it's not renewed or re-approved, then we'll look at a different provider.

Our company's policy requires a formal exemption from our overseas parent for any third-party software that does not support external SSO. It is challenging to continue using Xero without this feature. This needs to be a development priority for Xero.

Key requirements to this functionality is more than convenience of SSO. When identity is Entra ID integrated we have the ability to gather detailed logging of application access that allows for suspicious activities such as atypical travel, impossible travel, credential compromise. We also have the ability to use Identity based access controls to define additional levels of application access such as geo blocking, how often MFA is required and what type of devices (E.g. corporate managed) are allowed to access the app.
Incredibly important to securing application access to an app that contains sensitive corporate data.

I hope you guys are doing SAML or OIDC SSO that way I can use a provider other than Entra ID. Google Workspace SSO with SCIM would be really big for us.

Can't believe this critical security feature is not available in 2025!! Come on Xero sort it out. If you don't you will lose customers, including me.

I can't wait for this to happen as we are moving all entries to SSO via Entra. Please keep me informed when this goes live.

They comply with ISO 27001 (and SOC 2 I've just noticed) so I'm comfortable with the back end protections.

SSO is a nice to have, especially for smaller businesses (which I believe is Xero's target market), so while it's taken a while to get here I'm happy that it's finally coming ... but it was never a deal breaker for us.

Too little, FAR too late. We have moved away from Xero.
I it’s on one of the original threads about 4 years ago.
Xero was the last of our critical applications to even consider Entra integration. It made us think, with this attitude towards a core security function, what is happening with our data in the background, eg encryption, key management, access controls, secure coding etc.
We had no other choice but move to an alternative vendor.

Finally.... hope its not too far away from release. Long overdue.

You'd think this would be a no-brainer...

+1 for supporting SAML or OIDC. Limiting it to Entra is not useful

Yes, I concur with everyone else who is requesting a standards-based implementation that will work with any identity provider. Please do not lock the implementation into a single identity platform.

And I agree that it would be a solid addition to Xero to improve the RBAC granularity available so that the accounting functions can be partitioned beyond just the four user roles that are available currently. This is why I had suggested that Xero look at what Stripe did in its SAML implementation to drive permissions based off the SAML Attributes from the IdP.

Please don't limit this to Entra. Use something standards based, eg. SAML, OIDC. They will still work with Entra.
I appreciate you only just caught up with mandating MFA, but lack of proper controls is irresponsible.

Hi Kelly,

This isn’t about convenience. It’s about identity security.

Xero does not expose sign-in logs (successful/failed), source IPs/locations, or provide native controls like geo-blocking or Conditional Access. Without those, we have no verifiable authentication telemetry and no policy enforcement at the identity edge.

Bottom line: the current setup lacks a critical security layer. To meet baseline controls, Xero access must be fronted by an IdP (SSO + MFA) with Conditional Access and logging routed to a SIEM. Until that’s in place, you cannot claim adequate identity assurance.

Yeah.... in development! ...by 2030 you'll get it, boys and girls .. by then, maybe we'll even have different authentication methods and SSO will be obsolete!

Thank you for the update - only for this, it took what 4-5 years? Mental!

Very happy to hear SSO is in the works!

OICD Entra specifically would be much better! I'll take anything at this point - its 2025!