Microsoft Entra ID

Resources

• Microsoft Entra ID Docs
• Microsoft Entra admin center

Environment variables

.env

MICROSOFT_CLIENT_ID=
MICROSOFT_CLIENT_SECRET=

Callback URL

Under your app registration’s “Authentication” settings, you need to add a “Web” platform and configure the redirect URI.

/api/auth/microsoft/callback

Microsoft allows adding multiple redirect URIs, so add both your development and production URLs.

Config

The openid, profile, email, and User.Read scopes are requested by default.

Note

If you plan to accept work and school accounts too, make sure to request the verified_primary_email optional claim. It’s under your app registration’s “Token configuration” settings.

auth.ts

import process from 'node:process'
import { createAuth } from '@rttnd/gau/core'
import { Microsoft } from '@rttnd/gau/oauth'

export const auth = createAuth({
  providers: [
    Microsoft({
      clientId: process.env.MICROSOFT_CLIENT_ID,
      clientSecret: process.env.MICROSOFT_CLIENT_SECRET,
    }),
  ],
})

Provider params

tenant

Type: 'common' | 'organizations' | 'consumers' | (string & {})

Default: 'common'

The tenant segment used in the authorize and token endpoints. You can also pass a specific tenant ID.

• "consumers" is personal accounts only.
• "organizations" is work/school accounts only.
• "common" works with both.

prompt

Type: 'login' | 'none' | 'consent' | 'select_account' | (string & {})

Optional prompt behavior to request at Microsoft.

params

Type: Record<string, string>

Extra query params appended to the authorization URL.