Add Facebook as an identity provider

By setting up federation with Facebook, you can allow customers to sign in to your applications with their own Facebook accounts. After you've added Facebook as one of your application's sign-in options, on the sign-in page, customers can sign-in to Microsoft Entra ID for customers with a Facebook account. (Learn more about authentication methods and identity providers for customers.)

Tip

Try it now

To try out this feature, go to the Woodgrove Groceries demo and start the “Sign-in with a social account” use case.

Create a Facebook application

To enable sign-in for customers with a Facebook account, you need to create an application in Facebook App Dashboard. For more information, see App Development.

If you don't already have a Facebook account, sign up at https://www.facebook.com. After you sign-up or sign-in with your Facebook account, start the Facebook developer account registration process. For more information, see Register as a Facebook Developer.

  1. Sign in to Facebook for developers with your Facebook developer account credentials.
  2. If you haven't already done so, register as a Facebook developer: Select Get Started in the upper-right corner of the page, accept Facebook's policies, and complete the registration steps.
  3. Select Create App. Select Set up Facebook Login, and then select Next.
  4. For Select an app type, select Consumer, then select Next.
  5. Add an app name and a valid app contact mail.
  6. Select Create app. This step may require you to accept Facebook platform policies and complete an online security check.
  7. Select Settings > Basic.
    1. Copy the value of App ID. Then select Show and copy the value of App Secret. You use both of these values to configure Facebook as an identity provider in your tenant. App Secret is an important security credential.
    2. Enter a URL for the Privacy Policy URL, for example https://www.contoso.com/privacy. The policy URL is a page you maintain to provide privacy information for your application.
    3. Enter a URL for the Terms of Service URL, for example https://www.contoso.com/tos. The policy URL is a page you maintain to provide terms and conditions for your application.
    4. Enter a URL for the User Data Deletion, for example https://www.contoso.com/delete_my_data. The User Data Deletion URL is a page you maintain to provide away for users to request that their data be deleted.
    5. Choose a Category, for example Business and pages. Facebook requires this value, but it's not used by Microsoft Entra ID.
  8. At the bottom of the page, select Add platform, select Website, and then select Next.
  9. In Site URL, enter the address of your website, for example https://contoso.com.
  10. Select Save changes.
  11. From the menu, select Products. Next to Facebook Login, select Configure > Settings.
  12. In Valid OAuth Redirect URIs, enter the following URIs, replacing <tenant-ID> with your customer tenant ID and <tenant-name> with your customer tenant name:
    • https://login.microsoftonline.com/te/<tenant-ID>/oauth2/authresp
    • https://<tenant-name>.ciamlogin.com/<tenant-ID>/federation/oidc/www.facebook.com
    • https://<tenant-name>.ciamlogin.com/<tenant-name>.onmicrosoft.com/federation/oidc/www.facebook.com
    • https://<tenant-name>.ciamlogin.com/<tenant-ID>/federation/oauth2
    • https://<tenant-name>.ciamlogin.com/<tenant-name>.onmicrosoft.com/federation/oauth2

    Note

    To find your customer tenant ID, sign in to the Microsoft Entra admin center. Browse to Identity > Overview. Then select the Overview tab and copy the Tenant ID.

  13. Select Save changes at the bottom of the page.
  14. At this point, only Facebook application owners can sign in. Because you registered the app, you can sign in with your Facebook account. To make your Facebook application available to your users, from the menu, select Go live. Follow all of the steps listed to complete all requirements. You'll likely need to complete the business verification to verify your identity as a business entity or organization. For more information, see Meta App Development.

Configure Facebook federation in Microsoft Entra ID for customers

After you create the Facebook application, in this step you set the Facebook client ID and client secret in Microsoft Entra ID. You can use the Azure portal or PowerShell to do so. To configure Facebook federation in the Microsoft Entra admin center, follow these steps:

  1. Sign in to the Microsoft Entra admin center.

  2. Browse to Identity > External Identities > All identity providers.

  3. Select + Facebook.

  4. Enter a Name. For example, Facebook.

  5. For the Client ID, enter the App ID of the Facebook application that you created earlier.

  6. For the Client secret, enter the App Secret that you recorded.

  7. Select Save.

To configure Facebook federation by using PowerShell, follow these steps:

  1. Install the latest version of the Azure AD PowerShell for Graph module (AzureADPreview).

  2. Run the following command: Connect-AzureAD

  3. At the sign-in prompt, sign in with the managed Global Administrator account.

  4. Run the following command:

    New-AzureADMSIdentityProvider -Type Facebook -Name Facebook -ClientId <client ID> -ClientSecret <client secret>

    Use the client ID and client secret from the app you created in Create a Facebook application step.

Add Facebook identity provider to a user flow

At this point, the Facebook identity provider has been set up in your customer tenant, but it's not yet available in any of the sign-in pages. To add the Facebook identity provider to a user flow:

  1. Browse to Identity > External Identities > User flows.

  2. Select the user flow where you want to add the Facebook identity provider.

  3. Under Settings, select Identity providers

  4. Under Other Identity Providers, select Facebook.

  5. At the top of the pane, select Save.

Next steps