Skip to content
Migrating from NextAuth.js v4? Read our migration guide.

providers/microsoft-entra-id

Built-in Microsoft Entra ID integration.

MicrosoftEntraIDProfile

Extends

Properties

email

email: string;

nickname

nickname: string;

picture

picture: string;

sub

sub: string;

default()

default(config): OIDCConfig<MicrosoftEntraIDProfile>

Add Microsoft Entra ID login to your page.

Setup

Callback URL

https://example.com/auth/callback/microsoft-entra-id

Configuration

Parameters

ParameterType
configOIDCUserConfig<MicrosoftEntraIDProfile> & { profilePhotoSize: | 64 | 48 | 96 | 120 | 240 | 360 | 432 | 504 | 648; }

Returns

OIDCConfig<MicrosoftEntraIDProfile>

Example

import MicrosoftEntraID from "@auth/core/providers/microsoft-entra-id"
...
providers: [
  MicrosoftEntraID({
    clientId: env.AUTH_MICROSOFT_ENTRA_ID_ID,
    clientSecret: env.AUTH_MICROSOFT_ENTRA_ID_SECRET,
  }),
]
...

Resources

To allow specific Active Directory users access:

By default, the Entra ID provider lets the users to log in with any Microsoft account (either Personal, School or Work).

To only allow your organization’s users to log in, you’ll need to set the issuer, in addition to the client id and secret.

Issuer Example: https://login.microsoftonline.com/\{Directory (tenant) ID}/v2.0 You can find {Directory (tenant) ID} on the App Registrations Page

Example

import MicrosoftEntraID from "@auth/core/providers/microsoft-entra-id"
 
providers: [
  MicrosoftEntraID({
    clientId: env.AUTH_MICROSOFT_ENTRA_ID_ID,
    clientSecret: env.AUTH_MICROSOFT_ENTRA_ID_SECRET,
    issuer: env.AUTH_MICROSOFT_ENTRA_ID_TENANT_ID,
  }),
]

Notes

Microsoft Entra ID returns the profile picture in an ArrayBuffer, instead of just a URL to the image, so our provider converts it to a base64 encoded image string and returns that instead. See: https://learn.microsoft.com/en-us/graph/api/profilephoto-get?view=graph-rest-1.0&tabs=http#examples. The default image size is 48x48 to avoid running out of space in case the session is saved as a JWT.

By default, Auth.js assumes that the Microsoft Entra ID provider is based on the Open ID Connect specification.

💡

The Microsoft Entra ID provider comes with a default configuration. To override the defaults for your use case, check out customizing a built-in OAuth provider.

Disclaimer If you think you found a bug in the default configuration, you can open an issue.

Auth.js strictly adheres to the specification and it cannot take responsibility for any deviation from the spec by the provider. You can open an issue, but if the problem is non-compliance with the spec, we might not pursue a resolution. You can ask for more help in Discussions.

Auth.js © Balázs Orbán and Team - 2024