Configure a Microsoft identity provider

The Microsoft identity provider is an OpenID Connect provider with simplified settings, which offers the same features, such as single sign-on and mappers.

Configuration

To configure Microsoft authentication, follow the steps to configure an identity provider, using the properties listed in the table below for reference.

General

Property Definition

Redirect URI

URI indicating where the identity provider should redirect after authentication.

Client ID

Identifier for the client registered with the identity provider.

Client secret

Secret key registered with the identity provider.

Display order

Number defining the providers' order of appearance on the login page. Lowest number is listed first.

Tenant ID

If specified, uses single-tenant authentication endpoints. Otherwise, uses "common" multi-tenant endpoints.

Advanced

Property Definition

Scopes

Scopes requested for authorization. Supports a space-separated list of scopes. Defaults to openid.

Sync mode

Strategy for updating user information from the identity provider through mappers. Possible values are:

  • Force: updates user data when possible.

  • Import: imports user data without updating them.

Verify essential claim

If enabled, ID tokens issued by the identity provider must have a specific claim for the user to authenticate through this broker.

Essential claim

Only available if Verify essential claim is enabled.
Name of the JWT token claim to filter (case sensitive).

Essential claim value

Only available if Verify essential claim is enabled.
Value of the JWT token claim to match. Supports regular expressions.

Store tokens

If enabled, the platform stores tokens from the identity provider.

Accepts prompt=none forward from client

If enabled, when a client sends a prompt=none request while not authenticated, the error is not directly returned to the client. Instead, the request is forwarded to the identity provider.

Disable user info

If enabled, the user info service for obtaining additional user information is disabled. By default, the platform uses the OpenID Connect service.

Trust email

If enabled, emails provided by this provider are not verified by the platform.

Mappers

Mappers are generic for all identity provider types.

For more information, see Configure mappers.