How can I allow users to sign in to my website with their microsoft account (azure ad?) without them needing to configure anything?

Elliot 0 Reputation points
2023-05-25T19:36:17.37+00:00

Hi,

I'm developing a saas product (meteor.js / node.js stack, not hosted on azure) where tenants (companies) may allow their employees to login to our app with their corporate microsoft account. How can we configure our app such that tenants need no/minimal configuration on their end to allow this feature?

For example, with google we are able to configure one oauth app and allow logins from any google account. Can we do something similar for microsoft corporate accounts? (not talking about microsoft.com accounts).

Thanks for the help!

Elliot

Microsoft Security | Microsoft Entra | Microsoft Entra ID
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Konstantinos Passadis 19,591 Reputation points MVP
    2023-05-25T19:41:31.5933333+00:00

    Hello @Elliot !

    Welcome to Microsoft QnA!

    Yes , Azure provides a similar way to d the same thing with Application Registrations

    https://learn.microsoft.com/en-us/azure/active-directory/develop/quickstart-register-app

    https://learn.microsoft.com/en-us/azure/active-directory/fundamentals/auth-oauth2

    Register your application with Azure AD. You do this in the Azure portal. Once registered, you'll get a client ID and a client secret. These are used to authenticate your app with Azure AD.

    Configure your application to use Azure AD as an OAuth provider. This is generally done using a library or middleware that supports OAuth 2.0. In your case, since you're using Meteor/Node.js, you could use the passport-azure-ad module. You would configure this with the client ID and client secret you got in the previous step.

    When a user wants to log in, they will be redirected to the Azure AD login page. They enter their corporate Microsoft account credentials here. Azure AD then issues an authorization code, which is sent back to your application.

    Your application exchanges this authorization code for an access token. This is done by making a POST request to the Azure AD token endpoint, including the client ID, client secret, authorization code, and redirect URI.

    The access token can then be used to access resources on behalf of the user.

    This process allows users to log in with their corporate Microsoft account with minimal configuration required on their end. You just need to make sure that they have Azure AD set up and that their users are registered in Azure AD.

    You will also need to ensure that multi-tenant support is enabled for your application in Azure AD. This allows users from any Azure AD directory to log in, not just users from the directory your application is registered in. This is usually a setting you configure when you register your application.

    εικόνα

    I hope this helps!

    Kindly mark the answer as Accepted and Upvote in case it helped!

    Regards

    1 person found this answer helpful.
    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.