Microsoft Entra ID
💡
Microsoft has renamed Azure AD to Microsoft Entra ID, more information about the new name can be found here.
Resources
Setup
Callback URL
https://example.com/api/auth/callback/microsoft-entra-id
Configuration
/auth.ts
import NextAuth from "next-auth"
import Entra from "next-auth/providers/microsoft-entra-id"
const { handlers, auth, signin, signout } = NextAuth({
providers: [
Entra({
clientId: process.env.AUTH_MICROSOFT_ENTRA_ID_ID,
clientSecret: process.env.AUTH_MICROSOFT_ENTRA_ID_SECRET,
}),
],
})
Notes
- Allow only Specific Active Directory Users
- In https://entra.microsoft.com/ select Identity from the left bar menu.
- Next, go to “App Registration” in the left menu, and create a new one.
- Pay close attention to “Who can use this application or access this API?”
- This allows you to scope access to specific types of user accounts
- Only your tenant, all Microsoft tenants, or all Microsoft tenants and public Microsoft accounts (Skype, Xbox, Outlook.com, etc.)
- When asked for a redirection URL, use
https://yourapplication.com/api/auth/callback/microsoft-entra-id
or for developmenthttp://localhost:3000/api/auth/callback/microsoft-entra-id
. - After your App Registration is created, under “Client Credential” create your Client secret.
- Now copy your:
- Application (client) ID
- Directory (tenant) ID
- Client secret (value)
In .env.local
create the following entries:
AUTH_MICROSOFT_ENTRA_ID_ID=<copy Application (client) ID here>
AUTH_MICROSOFT_ENTRA_ID_SECRET=<copy generated client secret value here>
AUTH_MICROSOFT_ENTRA_ID_TENANT_ID=<copy the tenant id here>
That will default the tenant to use the common
authorization endpoint. For more details see here.
- Microsoft Entra returns the profile picture in an ArrayBuffer, instead of just a URL to the image, so our provider converts it to a base64 encoded image string and returns that instead. See: https://learn.microsoft.com/en-us/graph/api/profilephoto-get?view=graph-rest-1.0&tabs=http#examples. The default image size is 48x48 to avoid running out of space in case the session is saved as a JWT.