providers/microsoft-entra-id
MicrosoftEntraIDProfile
Extends
Record<string,any>
Properties
email: string;nickname
nickname: string;picture
picture: string;sub
sub: string;MicrosoftEntraIDOptions<P>
type MicrosoftEntraIDOptions<P>: OAuthUserConfig<P> & {
profilePhotoSize: | 48
| 64
| 96
| 120
| 240
| 360
| 432
| 504
| 648;
tenantId: string;
};Type declaration
profilePhotoSize?
optional profilePhotoSize:
| 48
| 64
| 96
| 120
| 240
| 360
| 432
| 504
| 648;https://learn.microsoft.com/en-us/graph/api/profilephoto-get?view=graph-rest-1.0&tabs=http#examples
Default
48tenantId?
optional tenantId: string;Default
"common"Type parameters
| Type parameter |
|---|
P extends MicrosoftEntraIDProfile |
default()
default<P>(options): OAuthConfig<P>Add Microsoft Entra ID login to your page.
Entra is the new name Microsoft has given to what was previously known as “Azure AD”
Setup
Callback URL
https://example.com/api/auth/callback/microsoft-entra-id
Configuration
import NextAuth from "next-auth"
import Entra from "next-auth/providers/microsoft-entra-id"
const { handlers, auth, signin, signout } = NextAuth({
providers: [
Entra({
clientId: process.env.AUTH_MICROSOFT_ENTRA_ID_ID,
clientSecret: process.env.AUTH_MICROSOFT_ENTRA_ID_SECRET
})
],
})Resources
Type parameters
| Type parameter |
|---|
P extends MicrosoftEntraIDProfile |
Parameters
| Parameter | Type |
|---|---|
options | MicrosoftEntraIDOptions<P> |
Returns
OAuthConfig<P>
Example
To allow specific Active Directory users access:
- In https://entra.microsoft.com/ select Identity from the left bar menu.
- Next, go to “App Registration” in the left menu, and create a new one.
- Pay close attention to “Who can use this application or access this API?”
- This allows you to scope access to specific types of user accounts
- Only your tenant, all Microsoft tenants, or all Microsoft tenants and public Microsoft accounts (Skype, Xbox, Outlook.com, etc.)
- When asked for a redirection URL, use
https://yourapplication.com/api/auth/callback/microsoft-entra-idor for developmenthttp://localhost:3000/api/auth/callback/microsoft-entra-id. - After your App Registration is created, under “Client Credential” create your Client secret.
- Now copy your:
- Application (client) ID
- Directory (tenant) ID
- Client secret (value)
In .env.local create the following entries:
AUTH_MICROSOFT_ENTRA_ID_ID=<copy Application (client) ID here>
AUTH_MICROSOFT_ENTRA_ID_SECRET=<copy generated client secret value here>
AUTH_MICROSOFT_ENTRA_ID_TENANT_ID=<copy the tenant id here>
That will default the tenant to use the common authorization endpoint. For more details see here.
Microsoft Entra returns the profile picture in an ArrayBuffer, instead of just a URL to the image, so our provider converts it to a base64 encoded image string and returns that instead. See: https://learn.microsoft.com/en-us/graph/api/profilephoto-get?view=graph-rest-1.0&tabs=http#examples. The default image size is 48x48 to avoid running out of space in case the session is saved as a JWT.
In app/api/auth/[...nextauth]/route.js find or add the Entra entries:
import Entra from "next-auth/providers/microsoft-entra-id";
providers: [
Entra({
clientId: process.env.AUTH_MICROSOFT_ENTRA_ID_ID,
clientSecret: process.env.AUTH_MICROSOFT_ENTRA_ID_SECRET,
tenantId: process.env.AUTH_MICROSOFT_ENTRA_ID_TENANT_ID,
}),
]
Notes
By default, Auth.js assumes that the MicrosoftEntra provider is based on the OAuth 2 specification.
The Microsoft Entra ID provider comes with a default configuration. To override the defaults for your use case, check out customizing a built-in OAuth provider.
Disclaimer If you think you found a bug in the default configuration, you can open an issue.
Auth.js strictly adheres to the specification and it cannot take responsibility for any deviation from the spec by the provider. You can open an issue, but if the problem is non-compliance with the spec, we might not pursue a resolution. You can ask for more help in Discussions.