# Admin | User Accounts

User accounts in Kahu are required for anyone to use the User App or the Workplace App; the same account is used across both should a user have access to both. Most accounts are associated with a Microsoft or Google account.

# Single Sign-On Accounts

If "Sign in with Microsoft" or "Sign in with Google" is used, then a Kahu user account is created when a new user first logs in. These accounts cannot be created manually.

# First Login

When the user first logs in, their account will be associated with the correct instance based on the email address domain. For example all users who sign in with an @example.com email address will be associated with the Example Ltd. instance. The user will also be given the "User" role by default, allowing them access to the User App and their own data only. If a user requires more access, for example to the Workplace App for management, first find them in the Users list, then edit their roles.

# User Linking

If a person exists in the company directory with a matching email, then the user account will be linked to that user automatically. To manually link a user to a person, see User Linking.

# Single Sign-On Setup

# Microsoft SSO

For Microsoft SSO to work, the Kahu SSO Azure App must be approved for use by an administrator. The Kahu SSO app only requests User Profile, which is the most basic permission for an app. It is only used for authenticating Users, other integrations (such as Room Booking) are handled separately.

To grant admin consent for SSO, visit this page and sign-in with an admin Microsoft account for your organisation: Admin Consent for Kahu SSO