Set up an OpenID Connect provider with Microsoft Entra ID
Microsoft Entra is one of the OpenID Connect identity providers you can use to authenticate visitors to your Power Pages site. Along with Microsoft Entra ID, multitenant Microsoft Entra ID, and Azure AD B2C, you can use any other provider that conforms to the Open ID Connect specification.
This article describes the following steps:
- Set up Microsoft Entra in Power Pages
- Create an app registration in Azure
- Enter site settings in Power Pages
- Allow multitenant Microsoft Entra authentication
Note
Changes to your site's authentication settings might take a few minutes to be reflected on the site. To see the changes immediately, restart the site in the admin center.
Set up Microsoft Entra in Power Pages
Set Microsoft Entra as an identity provider for your site.
In your Power Pages site, select Security > Identity providers.
If no identity providers appear, make sure External login is set to On in your site's general authentication settings.
Select + New provider.
Under Select login provider, select Other.
Under Protocol, select OpenID Connect.
Enter a name for the provider; for example, Microsoft Entra ID.
The provider name is the text on the button that users see when they select their identity provider on the sign-in page.
Select Next.
Under Reply URL, select Copy.
Don't close your Power Pages browser tab. You'll return to it soon.
Create an app registration in Azure
Create an app registration in the Azure portal with your site's reply URL as the redirect URI.
Sign in to the Azure portal.
Search for and select Azure Active Directory.
Under Manage, select App registrations.
Select New registration.
Enter a name.
Select one of the Supported account types that best reflects your organization requirements.
Under Redirect URI, select Web as the platform, and then enter the reply URL of your site.
- If you're using your site's default URL, paste the reply URL you copied.
- If you're using a custom domain name, enter the custom URL. Be sure to use the same custom URL for the redirect URL in the settings for the identity provider on your site.
Select Register.
Copy the Application (client) ID.
To the right of Client credentials, select Add a certificate or secret.
Select + New client secret.
Enter an optional description, select an expiration, and then select Add.
Under Secret ID, select the Copy to clipboard icon.
Select Endpoints at the top of the page.
Find the OpenID Connect metadata document URL and select the copy icon.
In the left side panel, under Manage, select Authentication.
Under Implicit grant, select ID tokens (used for implicit and hybrid flows).
Select Save.
Enter site settings in Power Pages
Return to the Power Pages Configure identity provider page you left earlier and enter the following values. Optionally, change the additional settings as needed. Select Confirm when you're finished.
Authority: Enter the authority URL in the following format:
https://login.microsoftonline.com/<Directory (tenant) ID>/
, where <Directory (tenant) ID> is the directory (tenant) ID of the application you created. For example, if the directory (tenant) ID in the Azure portal is7e6ea6c7-a751-4b0d-bbb0-8cf17fe85dbb
, then the authority URL ishttps://login.microsoftonline.com/7e6ea6c7-a751-4b0d-bbb0-8cf17fe85dbb/
.Client ID: Paste the application or client ID of the application you created.
Redirect URL: If your site uses a custom domain name, enter the custom URL; otherwise, leave the default value. Be sure the value is exactly the same as the redirect URI of the application you created.
Metadata address: Paste the OpenID Connect metadata document URL you copied.
Scope: Enter
openid email
.The
openid
value is mandatory. Theemail
value is optional; it ensures that the user's email address is automatically filled in and shown on the profile page after the user signs in. Learn about other claims you can add.Response type: Select
code id_token
.Client secret: Paste the client secret from the application you created. This setting is required if the response type is
code
.Response mode: Select
form_post
.External logout: This setting controls whether your site uses federated sign-out. With federated sign-out, when users sign out of an application or site, they're also signed out of all applications and sites that use the same identity provider. Turn it on to redirect users to the federated sign-out experience when they sign out of your website. Turn it off to sign users out of your website only.
Post logout redirect URL: Enter the URL where the identity provider should redirect users after they sign out. This location should be set appropriately in the identity provider configuration.
RP initiated logout: This setting controls whether the relying party—the OpenID Connect client application—can sign out users. To use this setting, turn on External logout.
Additional settings in Power Pages
The additional settings give you finer control over how users authenticate with your Microsoft Entra identity provider. You don't need to set any of these values. They're entirely optional.
Issuer filter: Enter a wildcard-based filter that matches on all issuers across all tenants; for example,
https://sts.windows.net/*/
.Validate audience: Turn on this setting to validate the audience during token validation.
Valid audiences: Enter a comma-separated list of audience URLs.
Validate issuers: Turn on this setting to validate the issuer during token validation.
Valid issuers: Enter a comma-separated list of issuer URLs.
Registration claims mapping and Login claims mapping: In user authentication, a claim is information that describes a user's identity, like an email address or date of birth. When you sign in to an application or a website, it creates a token. A token contains information about your identity, including any claims that are associated with it. Tokens are used to authenticate your identity when you access other parts of the application or site or other applications and sites that are connected to the same identity provider. Claims mapping is a way to change the information that's included in a token. It can be used to customize the information that's available to the application or site and to control access to features or data. Registration claims mapping modifies the claims that are emitted when you register for an application or a site. Login claims mapping modifies the claims that are emitted when you sign in to an application or a site. Learn more about claims mapping policies.
Nonce lifetime: Enter the lifetime of the nonce value, in minutes. The default value is 10 minutes.
Use token lifetime: This setting controls whether the authentication session lifetime, such as cookies, should match that of the authentication token. If you turn it on, this value overrides the Application Cookie Expire Timespan value in the Authentication/ApplicationCookie/ExpireTimeSpan site setting.
Contact mapping with email: This setting determines whether contacts are mapped to a corresponding email address when they sign in.
- On: Associates a unique contact record with a matching email address and automatically assigns the external identity provider to the contact after the user successfully signs in.
- Off
Note
The UI_Locales request parameter is sent automatically in the authentication request and is set to the language selected on the portal.
Set up additional claims
Set Scope to include the additional claims; for example,
openid email profile
.Set the Registration claims mapping additional site setting; for example,
firstname=given_name,lastname=family_name
.Set the Login claims mapping additional site setting; for example,
firstname=given_name,lastname=family_name
.
In these examples, the first name, last name, and email addresses supplied with the additional claims become the default values in the profile page in the website.
Note
Claims mapping is supported for text and boolean data types.
Allow multitenant Microsoft Entra authentication
To allow Microsoft Entra users to authenticate from any tenant in Azure, not just from a specific tenant, change the Microsoft Entra application registration to multi-tenant.
You also need to set Issuer filter in your provider's additional settings.