Obtain a ClientId and Client Secret for a Microsoft Azure Active Directory- Classic Portal
This page uses the Azure Active Directory Classic Portal, for information on using the current portal, click here.
To allow users to login using a Microsoft Azure Active Directory account, you must register your application through the Microsoft Azure portal. If you don't have a Microsoft Azure account, you can signup for free.
NOTE: There is no way to create an application that integrates with Microsoft Azure AD without having your own Microsoft Azure AD instance.
1. Create a new Microsoft Azure Active Directory instance
Login to Microsoft Azure and click on Active Directory on the Dashboard.
Click on ADD+ at the bottom of the screen.
Enter a subdomain, e.g.: YOUR_TENANT. This can be any text. (It does not have to match the Auth0 subdomain and it will be used in the next step.) Also enter your country and a friendly name for your organization.
2. Create a new application
Once the Microsoft Azure AD instance has been created, you need to create an application. Go to APPLICATIONS and click on ADD AN APPLICATION.
Select Add an application my organization is developing.
Enter a friendly name for the application and select WEB APPLICATION AND/OR WEB API.
Proceed to the next screen and enter the following:
- SIGN-ON URL: your application URL (completely arbitrary)
- APP ID URI: https://YOUR_TENANT.onmicrosoft.com/yourapp
NOTE: The APP ID URI is just a logical identifier, not a real URL. It is important to use the value as specified above in the APP ID URI field. For example, if the Microsoft Azure AD you've just created is myorg.onmicrosoft.com, you would enter https://myorg.onmicrosoft.com*/yourapp* here.
3. Configure the application
Once the application has been created, you have to configure it. Click CONFIGURE to continue. On this screen you can customize the logo and the application URL that you entered before, if needed.
Enter the following values on KEYS and REPLY URL, and click Save.
- KEYS: Select 1 or 2 years (the key will be displayed when these settings are saved)
- REPLY URL: https://YOUR_AUTH0_DOMAIN/login/callback
The next step is to modify permissions so your app can read the directory. Select the Read Directory Data and Enable sign-on and read users' profiles delegated permissions.
NOTE: If you want to enable extended attributes (like Extended Profile or Security Groups) you will also need to enable the following permissions: Application Permissions: Read directory data, Delegated Permissions: Access your organization's directory.
Click SAVE at the bottom of the screen and the key will be displayed. Make sure to copy the value of this key before leaving this screen.
4. Copy the Client ID and Secret to Auth0
Login to your Auth0 Dashboard, and select the Connections > Enterprise menu option. Select Windows Azure AD.
Copy the Client ID and the Key generated by Microsoft Azure in the previous step into the Client ID and Client Secret fields in Auth0.
Congratulations! You are now ready to accept Microsoft Azure AD users.
When granting access, make sure to use an Incognito/InPrivate window and a Global Administrator user.
If you get Access cannot be granted to this service because the service listing is not properly configured by the publisher, try selecting the Application is Multi Tenant option in the Windows Azure AD application on the Azure dashboard.
Signing Key Rollover in Azure Active Directory
Signing keys are used by the identity provider to sign the authentication token it issues, and by the consumer application (Auth0 in this case) to validate the authenticity of the generated token.
For security purposes, Azure AD’s signing key rolls on a periodic basis. If this happens, you do not need to take any action. Auth0 will use the new key automatically.