Add Microsoft login

You can add Microsoft login to your applications using Asgardeo and enable users to log in with their Microsoft accounts.

Follow this guide for instructions.

Register Asgardeo on Microsoft

You need to register Asgardeo as an OAuth2.0 application on Microsoft Entra ID.

For detailed instructions, you can follow the Microsoft documentation (opens new window).

1. Sign in to the Microsoft Entra admin center (opens new window) using an account with administrator permission.

   You must use an account in the same Microsoft 365 subscription (tenant) with which you intend to register the app.

2. Go to Identity > Applications > App registrations and select New registration.

3. Click Add and select App registration from the list.

4. Provide the required information for app registration.

   

   Parameter	Description
   Name	Enter a meaningful name for your application.
   Supported Account Type	Select the supported account type. Value: Accounts in any organizational directory (Any Microsoft Entra ID tenant - Multitenant) and personal Microsoft accounts (e.g., Skype, Xbox)
   Redirect URI	Select Web as the platform and provide the URL to redirect after the login is completed. Value: https://localhost:9443/commonauth

5. Click Register to create the application.

   Take note of the client ID after the application is created.

Now, let's generate a client secret for the application.

1. Go to Certificates & secrets on the left navigation and click + New client secret.

2. Enter a description for the client secret and select the expiry time.

3. Click Add to add the client secret.

   Important

   Take note of the generated Value. Microsoft Entra will allow copying this value only once. This value is the newly generated client secret for your Microsoft connection in Asgardeo.

Register the Microsoft IdP

Now, let's register the Microsoft IdP in Asgardeo.

1. On the Asgardeo Console, go to Connections.

2. Click New Connections and select Microsoft.

3. Enter the following details of the Microsoft identity provider and click Finish:

   

   Parameter	Description
   Name	A unique name for this Microsoft identity provider.
   Client ID	The client ID obtained from Microsoft.
   Client secret	The client secret obtained from Microsoft.

Claim syncing for JIT-provisioned users

JIT user provisioning is enabled by default for your external identity provider. If required, you can disable JIT user provisioning.

When a user with a local Asgardeo account uses the same email address to log in through an external identity provider, Asgardeo syncs the claims from the JIT-provisioned user account and the local account.

According to the default behavior of Asgardeo, when JIT user provisioning is enabled, the user claims of the local user account are overridden by the user claims received from the external identity provider.

You can use Asgardeo's identity provider APIs to configure claim syncing between the external identity provider and the local user accounts. This gives you the flexibility to customize the claim syncing behavior according to your specific requirements.

After the Microsoft identity provider is created, go to the Settings tab and see the list of scopes to which Microsoft has granted permissions.

• email: Allows to view the user's email address.
• openid: Allows authentication using OpenID Connect and to obtain the ID token.
• profile: Allows to view the user's basic profile data.

Asgardeo needs these scopes to get user information. Asgardeo checks the attribute configurations of the application and sends the relevant attributes received from Microsoft to the app. You can read the Microsoft documentation (opens new window) to learn more.

Enable Microsoft login

Before you begin

You need to register an application with Asgardeo You can register your own application or use one of the sample applications provided.

To enable Microsoft login:

1. On the Asgardeo Console, go to Applications.

2. Select your application, go to the Login Flow tab and add Microsoft login from your preferred editor:

   Using the Classic Editor

   To add Microsoft login using the Classic Editor:

   1. If you haven't already defined a sign-in flow, click Start with Default configuration to get started.

   2. Click Add Authentication on the step, select your Microsoft identity provider, and click Add.

      
   Using the Visual Editor

   To add Microsoft login using the Visual Editor:

   1. Switch to the Visual Editor tab, by default the Username & Password login flow will be added onto the Visual Editor's workspace.

   2. Click on + Add Sign In Option to add a new authenticator to the same step and select your Microsoft connection.

      

3. Click Update to save your changes.

Try it out

Follow the steps given below.

1. Access the application URL.

2. Click Login to open the Asgardeo login page.

3. On the Asgardeo login page, Sign in with Microsoft.

   

4. Log in to Microsoft with an existing user account.

When a user successfully logs in with Microsoft for the first time, a user account is created in the Asgardeo Console with the Microsoft username. Microsoft will manage this new user account.

Delete a connection

Before you begin

If your connection has applications associated with it, you will not be able to delete the connection.

Before deleting such connections:

1. Check the associated applications from the Connected Apps tab of the connection.
2. Click on an application that uses the connection and you will be redirected to the Sign-in Method tab of the respective application.
3. Remove the connection from the sign-in flow of the associated applications.
4. Repeat steps 2 and 3 for all listed applications.
5. Proceed to delete the connection.

To delete a connection that does not have any applications using it:

1. On the Asgardeo Console, go to Connections.

2. Click Set up and navigate to the General tab.

3. At the bottom of the page, click the button in the Delete connection.

   You cannot delete connections that are available by default.

4. Select the checkbox and confirm your action.