Azure AD Provider
Deprecated - Microsoft has rebranded this product Microsoft Entra ID and all support work will be going into that IdP. We recommend you migrate to using that provider as well.
Resources
Setup
Callback URL
https://example.com/api/auth/callback/azure-ad
Environment Variables
AUTH_AZURE_AD_ID
AUTH_AZURE_AD_SECRET
AUTH_AZURE_AD_TENANT_ID
Configuration
import NextAuth from "next-auth"
import AzureAd from "next-auth/providers/azure-ad"
export const { handlers, auth, signIn, signOut } = NextAuth({
providers: [AzureAd],
})
To allow specific Active Directory users access:
- In https://portal.azure.com/ search for “Azure Active Directory”, and select your organization.
- Next, go to “App Registration” in the left menu, and create a new one.
- Pay close attention to “Who can use this application or access this API?”
- This allows you to scope access to specific types of user accounts
- Only your tenant, all azure tenants, or all azure tenants and personal Microsoft accounts (Skype, Xbox, Outlook.com, etc.)
- When asked for a redirection URL, use
https://yourapplication.com/api/auth/callback/azure-ad
or for developmenthttp://localhost:3000/api/auth/callback/azure-ad
. - After your App Registration is created, under “Client Credential” create your Client secret.
- Click on “API Permissions” and click “Grant admin consent for…” to allow User.Read access to your tenant.
- Now copy your:
- Application (client) ID
- Directory (tenant) ID
- Client secret (value)
In .env.local
create the following entries:
AUTH_AZURE_AD_CLIENT_ID=<copy Application (client) ID here>
AUTH_AZURE_AD_CLIENT_SECRET=<copy generated client secret value here>
AUTH_AZURE_AD_TENANT_ID=<copy the tenant id here>
That will default the tenant to use the common
authorization endpoint. For more details see here.
If you want your application to receive authorization requests from not only the tenants but also all Microsoft users just add “common” in AUTH_AZURE_AD_TENANT_ID, this will “skip” tenants authorization.
AUTH_AZURE_AD_TENANT_ID=common
Azure AD returns the profile picture in an ArrayBuffer, instead of just a URL to the image, so our provider converts it to a base64 encoded image string and returns that instead. See: https://docs.microsoft.com/en-us/graph/api/profilephoto-get?view=graph-rest-1.0#examples. The default image size is 48x48 to avoid running out of space in case the session is saved as a JWT.
In pages/api/auth/[...nextauth].js
find or add the AzureAD
entries:
import AzureADProvider from "next-auth/providers/azure-ad"
providers: [
AzureADProvider({
clientId: process.env.AZURE_AD_CLIENT_ID,
clientSecret: process.env.AZURE_AD_CLIENT_SECRET,
tenantId: process.env.AZURE_AD_TENANT_ID,
}),
]