providers/microsoft-entra-id

Built-in Microsoft Entra ID integration.

MicrosoftEntraIDProfile

Extends

• Record<string, any>

Properties

email

email: string;

nickname

nickname: string;

picture

picture: string;

sub

sub: string;

default()

default(config): OIDCConfig<MicrosoftEntraIDProfile>

Add Microsoft Entra ID login to your page.

Setup

Callback URL

https://example.com/auth/callback/microsoft-entra-id

Configuration

Parameters

Returns

OIDCConfig<MicrosoftEntraIDProfile>

Example

import MicrosoftEntraID from "@auth/core/providers/microsoft-entra-id"
...
providers: [
  MicrosoftEntraID({
    clientId: env.AUTH_MICROSOFT_ENTRA_ID_ID,
    clientSecret: env.AUTH_MICROSOFT_ENTRA_ID_SECRET,
  }),
]
...

Resources

• Microsoft Entra OAuth documentation
• Microsoft Entra OAuth apps

To allow specific Active Directory users access:

By default, the Entra ID provider lets the users to log in with any Microsoft account (either Personal, School or Work).

To only allow your organization’s users to log in, you’ll need to set the issuer, in addition to the client id and secret.

Example

import MicrosoftEntraID from "@auth/core/providers/microsoft-entra-id"
 
providers: [
  MicrosoftEntraID({
    clientId: env.AUTH_MICROSOFT_ENTRA_ID_ID,
    clientSecret: env.AUTH_MICROSOFT_ENTRA_ID_SECRET,
    issuer: env.AUTH_MICROSOFT_ENTRA_ID_TENANT_ID,
  }),
]

Notes

Microsoft Entra ID returns the profile picture in an ArrayBuffer, instead of just a URL to the image, so our provider converts it to a base64 encoded image string and returns that instead. See: https://learn.microsoft.com/en-us/graph/api/profilephoto-get?view=graph-rest-1.0&tabs=http#examples. The default image size is 48x48 to avoid running out of space in case the session is saved as a JWT.

By default, Auth.js assumes that the Microsoft Entra ID provider is based on the Open ID Connect specification.