Skip to main content

Microsoft

Microsoft

This will enable you to log in using any Azure AD directory - Multi-tenant and personal Microsoft accounts (for example Skype, Xbox) depending on the settings made when creating the application in Azure AD.

Creating an Application in Azure AD

To set up "Sign in with Microsoft" you must first register an application with the Microsoft identity platform.

Select "Web" as the "Redirect URI" type, and set the URI to:

http(s)://<domain-of-ory-kratos>:<public-port>//self-service/methods/oidc/callback/<provider-id>

After the "App Registration" is created, make note of the Application ID and Directory ID on top of the Overview page. To create the client secret, navigate to "Certificates & secrets" and click "+ New client secret". Remember to copy the secret value as it will only be shown once.

Configuring Kratos

Create a Jsonnet claims mapper as described in

Save the code in <kratos-directory>/contrib/quickstart/kratos/email-password/oidc.microsoft.jsonnet.

contrib/quickstart/kratos/email-password/oidc.microsoft.jsonnet
local claims = std.extVar('claims');
{
identity: {
traits: {
// Allowing unverified email addresses enables account
// enumeration attacks, if the value is used for
// verification or as a password login identifier.
//
// If connecting only to your organization (one tenant), claims.email is safe to use if you haven't actively disabled e-mail verification during Sign-Up.
//
// The email might be empty if the account isn't linked to an email address.
// For a human readable identifier, consider using the "preferred_username" claim.
[if "email" in claims then "email" else null]: claims.email,
},
},
}

Enable the Microsoft provider in the Ory Kratos config located at <kratos-directory>/contrib/quickstart/kratos/email-password/kratos.yml.

contrib/quickstart/kratos/email-password/kratos.yml
selfservice:
methods:
oidc:
enabled: true
config:
providers:
- id: microsoft # this is `<provider-id>` in the Authorization callback URL. DO NOT CHANGE IT ONCE SET!
provider: microsoft
client_id: .... # Replace this with the Application ID from the App Registration
client_secret: .... # Replace this with the generated Secret value from the App Registration
microsoft_tenant: .... # Replace this with the Tenant of your choice (see below)
subject_source: userinfo # or alternatively: me
mapper_url: file:///etc/config/kratos/oidc.microsoft.jsonnet
scope:
- profile
- email

Azure AD is now an option to log in to Ory Kratos.

tip

When running a self-hosted instance, you can pass the social sign-in provider configuration in the SELFSERVICE_METHODS_OIDC_CONFIG_PROVIDERS environment variable. For example:

SELFSERVICE_METHODS_OIDC_CONFIG_PROVIDERS='[{"id":"google","provider":"google","mapper_url":"<file_location>","client_id":"<client_id>","client_secret":"<client_secret>","scope":["openid","email","profile"],"auth_url":"https://accounts.google.com/o/oauth2/v2/auth","token_url":"https://www.googleapis.com/oauth2/v4/token","issuer_url":"https://accounts.google.com"}]'
Choosing Tenant

There are two ways to use the microsoft provider for authentication:

  1. For authenticating users in a single Azure AD Directory (organization), set the tenant value to either the Directory ID from the "App Registration" page, or the organization domain. Examples:8eaef023-2b34-4da1-9baa-8bc8c9d6a490 or example.onmicrosoft.com.
  2. For authenticating any user in the Microsoft identity platform, set the tenant value to either:
  • organizations to allow users with work or school accounts, or
  • consumers to allow users with personal accounts, or
  • common to allow both kind of accounts.
Choosing source of subject identifier

By default, the microsoft provider will rely on identifier taken from the sub field of OIDC ID token. The same identifier is also returned by standard OIDC /userinfo endpoint.

But there are systems out there that use id field returned by https://graph.microsoft.com/v1.0/me endpoint as a subject identifier. To make migrating such systems to Kratos easier the microsoft provider allows using me endpoint's id as an identifier. Set the provider config subject_source field to me to activate this feature.

Prevent Having to Login after Sign-Up

When adding social sign-in providers manually, remember to add the session hook to after/oidc/hooks. If you don't add this hook, users will have to login again after signing up to get a session.

selfservice:
flows:
registration:
after:
oidc:
hooks:
- hook: session