Skip to main content
YorAuthDocs
v1.0

Microsoft

Allow users to sign in with their Microsoft account (personal accounts, work accounts, or Azure Active Directory / Entra ID accounts). Microsoft's OAuth 2.0 implementation follows OpenID Connect and supports the prompt=select_account option, which gate sends by default to ensure users are always prompted to choose an account rather than silently using a cached session.

Azure Portal Setup

1. Register an Application

Go to portal.azure.com, navigate to Azure Active Directory > App registrations, and click New registration.

Fill in the following:

  • Name: A display name for your app (shown to users on the consent screen)
  • Supported account types: Choose based on your audience:
    • Accounts in this organizational directory only — Azure AD single-tenant apps
    • Accounts in any organizational directory — Multi-tenant Azure AD apps
    • Accounts in any organizational directory and personal Microsoft accounts — Broadest coverage; recommended for most applications
    • Personal Microsoft accounts only — Consumer accounts only
  • Redirect URI: Select Web and enter the gate callback URL:
text
https://gate.yorauth.com/oauth/microsoft/callback

You can retrieve the exact callback URL for your application from the dashboard API:

bash
curl -X GET "https://api.yorauth.com/api/dashboard/applications/{applicationId}/providers/{providerId}/callback-url" \
  -H "Authorization: Bearer your-api-key"

2. Note Your Client ID

After registration, the Application (client) ID on the overview page is your Client ID. Copy it.

3. Create a Client Secret

Navigate to Certificates & secrets > New client secret.

  • Add a description and choose an expiry period (up to 24 months)
  • After saving, copy the Value field immediately

The client secret value is only shown once in the Azure Portal. Copy it before leaving the page. If lost, delete the secret and create a new one, then update your YorAuth configuration.

4. Add API Permissions (Optional)

The default scopes (openid, email, profile, User.Read) are granted automatically and do not require explicit permission configuration. If you request additional Microsoft Graph scopes, add them under API permissions > Add a permission > Microsoft Graph.

Default Scopes

Gate requests the following scopes by default for Microsoft:

ScopePurpose
openidEnables OpenID Connect identity token
emailReturns the user's email address
profileReturns the user's name and basic profile
User.ReadRead the user's profile from Microsoft Graph

Configuration in YorAuth

Once you have your Client ID and Client Secret from Azure, configure the provider for your application:

bash
curl -X POST "https://api.yorauth.com/api/dashboard/applications/{applicationId}/providers/configure" \
  -H "Authorization: Bearer your-api-key" \
  -H "Content-Type: application/json" \
  -d '{
    "provider_id": "{microsoftMarketplaceProviderId}",
    "configuration_mode": "byoa",
    "client_id": "your-azure-application-client-id",
    "client_secret": "your-azure-client-secret-value",
    "scopes": ["openid", "email", "profile", "User.Read"]
  }'

Retrieve the marketplace provider ID for Microsoft:

bash
curl "https://api.yorauth.com/api/dashboard/applications/{applicationId}/providers/marketplace?search=microsoft" \
  -H "Authorization: Bearer your-api-key"

Microsoft-Specific Behavior

Account Selection Prompt

Gate always sends prompt=select_account when redirecting to Microsoft. This forces the account chooser to appear even when the user already has an active Microsoft session in the browser. This prevents silent SSO from logging users in as the wrong account, which is particularly important in shared environments.

Token Expiry and Refresh

Microsoft access tokens expire after 1 hour. If you requested openid scope, Microsoft returns a refresh token that can be used to obtain new access tokens without user interaction. YorAuth stores the refresh token and uses it to refresh connections automatically.

Multi-Tenant Applications

If you selected "Accounts in any organizational directory" when registering your app, users from any Azure AD tenant can sign in. The token will include the user's tenant ID (tid claim). YorAuth stores provider user info as returned by Microsoft — the tenant context is available in provider_user_info on the connection record.

Personal vs. Work Accounts

With "Accounts in any organizational directory and personal Microsoft accounts" selected, both personal Outlook/Hotmail accounts and work/school accounts can sign in. The User.Read scope works for both account types.

Client secret expiry is enforced by Azure. When a secret expires, OAuth flows for that application will fail. Set a calendar reminder to rotate the secret before it expires and update your YorAuth configuration.

Testing the Flow

Once configured, generate a test login URL:

bash
curl "https://api.yorauth.com/api/dashboard/applications/{applicationId}/providers/{configId}/test-login-url" \
  -H "Authorization: Bearer your-api-key"

Open the returned authorize_url in a browser to verify the Microsoft sign-in button appears and the account chooser displays correctly.

Previous← GoogleNextOverview →
Edit this page on GitHub