Configure an OpenID Connect provider for portals with Azure AD
Effective October 12, 2022, Power Apps portals is Power Pages. More information: Microsoft Power Pages is now generally available (blog)
We will soon migrate and merge the Power Apps portals documentation with Power Pages documentation.
In this article, you'll learn about configuring an OpenID Connect provider for portals with Azure Active Directory (Azure AD) and multitenant Azure AD.
- Portals isn't limited to only Azure AD, multitenant Azure AD, or Azure AD B2C as the OpenID Connect providers. You can use any other provider that conforms to the OpenID Connect specification. Changes to the authentication settings might take a few minutes to be reflected on the portal. Restart the portal by using portal actions if you want the changes to be reflected immediately.
To configure Azure AD as the OpenID Connect provider by using the Implicit Grant flow
Select Add provider for your portal.
For Login provider, select Other.
For Protocol, select OpenID Connect.
Enter a provider name.
In this step, you create the application and configure the settings with your identity provider.
- The Reply URL is used by the app to redirect users to the portal after the authentication succeeds. If your portal uses a custom domain name, you might have a different URL than the one provided here.
- More details about creating the app registration on the Azure portal are available in Quickstart: Register an application with the Microsoft identity platform.
Sign in to the Azure portal.
Search for and select Azure Active Directory.
Under Manage, select App registrations.
Select New registration.
Enter a name.
If necessary, select a different Supported account type. More information: Supported account types
Under Redirect URI, select Web (if it isn't already selected).
Enter the Reply URL for your portal in the Redirect URI text box.
If you're using the default portal URL, copy and paste the Reply URL as shown in the Create and configure OpenID Connect provider settings section on the Configure identity provider screen (step 6 above). If you're using a custom domain name for the portal, enter the custom URL. Be sure to use this value when you configure the Redirect URL in your portal settings while configuring the OpenID Connect provider.
For example, if you enter the Reply URL in Azure portal as
https://contoso-portal.powerappsportals.com/signin-openid_1, you must use it as-is for the OpenID Connect configuration in portals.
On the left pane, under Manage, select Authentication.
Under Implicit grant, select the ID tokens check box.
In this step, you enter the site settings for the portal configuration.
If you closed the browser window after configuring the app registration in the earlier step, sign in to the Azure portal again and go to the app that you registered.
Authority: To configure the authority URL, use the following format:
https://login.microsoftonline.com/<Directory (tenant) ID>/
For example, if the Directory (tenant) ID in the Azure portal is
7e6ea6c7-a751-4b0d-bbb0-8cf17fe85dbb, the authority URL is
Client ID: Copy the Application (client) ID from the Azure portal as the client ID.
Redirect URL: Confirm that the Redirect URL site setting value is the same as the Redirect URI that you set in the Azure portal earlier.
If you're using the default portal URL, you can copy and paste the Reply URL as shown in the Create and configure OpenID Connect provider settings step. If you're using a custom domain name, enter the URL manually. Be sure that the value you enter here is exactly the same as the value you entered as the Redirect URI in the Azure portal earlier.
Metadata address: To configure the metadata address, do the following:
Select Overview in the Azure portal.
Copy the URL in OpenID Connect metadata document.
Paste the copied document URL as the Metadata address for portals.
Scope: Set the Scope site setting value as:
openidvalue in Scope is mandatory. The
For Response type, select code id_token.
For Response mode, select form_post.
Configure additional claims
Enable optional claims in Azure AD.
Set Scope to include the additional claims.
openid email profile
Set the Registration claims mapping additional site setting.
Set the Login claims mapping additional site setting.
For example, the first name, last name, and email addresses supplied with the additional claims become the default values in the profile page in the portal.
Enable authentication by using a multitenant Azure AD application
You can configure your portal to accept Azure AD users from any tenant in Azure, and not just from a specific tenant, by using the multitenant application registered in Azure AD. To enable multitenancy, update the application registration in the Azure AD application.
To support authentication against Azure AD by using a multitenant application, you have to create or configure the additional Issuer Filter site setting.
This site setting is a wildcard-based filter that matches on all issuers across all tenants. Example:
Submit and view feedback for