# Connect to Microsoft Azure AD
Authing supports connecting to Microsoft Azure AD (Active Directory) to achieve: -Allow you or users in your organization to use Azure AD to log in to your developed application. -Allow users from other organizations to use Azure AD to log in to your developed application.
# Ready to work
- If you still have an Authing account, you can register here (opens new window).
- If you do not have an Azure account, you can register here (opens new window).
# Step
- [Register your app in Azure Portal](#Register your app in -azure-portal-)
- [Create a Client Secret](#Create a-client-secret)
- [Add permissions to your application API](#Add permissions to your application-api-)
- Create Azure AD connection in Authing Console
- [Open this Azure AD connection for your app](#Open this-azure-ad-connection for your app)
- Test Azure AD Connection
# Register your app in Azure Portal
In order to allow users to log in to your application through an Azure AD account, you need to register your application in the Microsoft Azure portal.
Detailed official documentation: Quickstart: Register an application with the Microsoft identity platform (opens new window)
During the registration process, please pay attention to the following two configurations:
Supported account types
: Supported account types, choose the appropriate type according to your actual situation. If you want other organizations’ accounts to be able to use your application, please selectAny Azure AD directory-Multitenant
. If you only want members of your organization to use your application, please selectSingle tenant
.
If you choose Single tenant
, when users from other organizations try to log in with Azure AD, an error similar to the following will be prompted:
Redirect URI
: Please fill inhttps://core.authing.cn/connections/azure-ad/callback
After creation, Azure will automatically create an application ID (Client ID) for this application. You can see it in the Overview menu. You need to use it later, please record it first.
# Create a Client Secret
Detailed official documentation: [Quickstart: Configure a client application to access web APIs-Add Credentials to your web application.](https://docs.microsoft.com/en-us/azure/active-directory/develop/quickstart -configure-app-access-web-apis#add-credentials-to-your-web-application)
Enter the application details page, on the Certificates & secrets page, click the + New client secret button:
Select the secret expiration time:
After that, you can see the generated key, you need to use it later, please record it first
# Add permissions to your application API
Detailed official documentation: [Quickstart: Configure a client application to access web APIs-Add permissions to access web APIs.](https://docs.microsoft.com/en-us/azure/active-directory/develop/quickstart -configure-app-access-web-apis#add-permissions-to-access-web-apis)
Please make sure your application has the following permissions:
Users> User.Read
: The currently logged in user can read his own user information.Directory> Directory.Read.All
: The currently logged in user can read the relevant data of the user directory.
# Create Azure AD connection in Authing Console
Please make sure you follow the above process to obtain the Client ID
and Client Secret
of the Azure AD application.
- Go to Authing Console (opens new window) Connect Identity Source / Corporate Identity Source page, and find Connect to Microsoft Azure AD
- Fill in the following required information
Connection identifier
: This is the only identifier for this connection and cannot be modified after setting.Display Name
: If set, the Authing login form will display a "Login with {displayName}" button.App Logo
: If set, the Authing login form will display this icon on the button of "Login with {displayName}", and the icon will be displayed as 20 * 20.Client ID
: The Client ID of the Azure AD application obtained in the first step.Client Secret
: The Client Secret of the Azure AD application obtained in the first step.
- Configure advanced options (optional)
Sync user data every time you log in
: It is enabled by default. When enabled, Authing will automatically synchronize the user's profile every time the user logs in with Azure AD.Mailbox verification synchronization policy
: The default setting is false. Since Azure AD cannot guarantee that each user's mailbox is verified, you need to choose according to your actual scenario.
# Turn on this Azure AD connection for your app
You can choose whether to enable Azure AD identity source connection for this application on the Configuration Login Form page of Application Details:
# Test Azure AD connection
Click the Experience button in the upper right corner to go to the login form page. You can see that there is an additional Login with Azure AD button below the login form:
Click this button to jump to the login page of Azure AD:
After entering the correct account password, you can see a successful login prompt:
The user information of the user who just logged in in Azure AD will also be synchronized to the Authing user pool: