> ## Documentation Index
> Fetch the complete documentation index at: https://help.dsalta.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Human access should use federated SSO

> Checks that human users access Nebius through a federated identity provider (e.g. Microsoft Entra ID).

Checks that human users access Nebius through a federated identity provider (e.g. Microsoft Entra ID).

## About

When you connect Nebius to DSALTA, the platform verifies that a federation is configured and that human users authenticate through it rather than with local credentials. DSALTA evaluates this control on every sync.

## Why This Matters

Federated SSO centralizes MFA, lifecycle, and offboarding for human access — when people sign in through your identity provider, a single deprovisioning action removes their access everywhere. Federated authentication and MFA for remote access are expected by frameworks including SOC 2, ISO 27001:2022, NIST CSF, and CIS.

## How to Fix

**Before you begin**

* Ensure you have **tenant admin** rights in the Nebius Console.
* Have your identity provider (for example, Microsoft Entra ID) details ready.

**Configure federation**

1. In the **Nebius Console**, go to **IAM → Federations**.
2. Connect your identity provider, such as **Microsoft Entra ID** or another SAML provider.
3. Migrate human users to authenticate through the federation instead of local credentials.

Once human users authenticate via a configured federation, DSALTA retrieves the change on the next sync and sets the check status to **Passing**.

## Frequently Asked Questions

<AccordionGroup>
  <Accordion title="How often does this check run?">
    This check runs automatically every 24 hours while the Nebius integration is connected. You can also trigger a manual sync from **Integrations** in the sidebar.
  </Accordion>

  <Accordion title="What happens if it keeps failing?">
    A failing check appears in your **Data Library → Tests** dashboard. Work through the steps above; once the underlying configuration is fixed, the status updates automatically on the next sync.
  </Accordion>

  <Accordion title="Can I exclude this check?">
    Yes. If it does not apply to your environment, mark it as **Not Applicable** with a justification. The exclusion is documented for auditors.
  </Accordion>

  <Accordion title="Does DSALTA change my Nebius configuration?">
    No. DSALTA uses **read-only IAM access** and never modifies, creates, or deletes resources. All remediation is performed by your team directly in Nebius.
  </Accordion>
</AccordionGroup>
