feat: enable microsoft sign ups

[retrogtx]

What does this PR do?

Enables Microsoft authentication for Cal.com, allowing users to sign up and log in using their Microsoft accounts (Azure AD). This builds upon #16873 by @hbjORbj.

The flow is exactly like google except for one case, in google we add google meet as a conferencing tool. however in microsoft we don't add a conferencing tool, mainly for two reasons: 1. it requires additional permissions unlike google meet 2. MS teams which is conferencing tool for microsoft is only available for school and org accounts unlike meet which is available for all accounts be it free or org.

Fixes #27060

Visual Demo:

signin.with.outlook.flow.mov

Key Changes

Authentication:

• Azure AD OAuth provider via NextAuth
• New IdentityProvider.AZUREAD enum value with database migration
• xms_edov claim validation for email domain verification (handles work/school and personal accounts)
• Proper identity provider mapping for azure-ad provider

UI:

• "Continue with Microsoft" button on login and signup pages
• Accessible Microsoft logo SVG with ARIA attributes

Profile Features:

• Profile photo sync from Microsoft Graph API
• Office 365 calendar auto-linking for org users during signup

Infrastructure:

• New environment variables: OUTLOOK_LOGIN_ENABLED, OUTLOOK_API_CREDENTIALS, AZURE_AD_TENANT_ID
• SSO route handling to map "microsoft" → signIn("azure-ad")
• Onboarding E2E tests for AZUREAD

Environment Variables

OUTLOOK_LOGIN_ENABLED=false
OUTLOOK_API_CREDENTIALS=   # JSON credentials from Azure portal, the format is something like this {"web":{"client_id":"9b81......","client_secret":"wJT8Q~PH...."}}
AZURE_AD_TENANT_ID=        # Use "common" for multi-tenant

How to Test

1. Set up Azure AD app in Azure Portal
2. Configure redirect URI: {WEBAPP_URL}/api/auth/callback/azure-ad
3. Set environment variables and OUTLOOK_LOGIN_ENABLED=true
4. Verify the Microsoft button appears and OAuth flow works

-- Added by @sean-brydon

Enable microsoft SALM google etc

Figma: https://www.figma.com/design/wleA2SR6rn60EK7ORxAfMy/Cal.com-New-Features?node-id=12-61094&m=dev

[vercel]

@retrogtx is attempting to deploy a commit to the cal Team on Vercel.

A member of the Team first needs to authorize it.

[graphite-app]

Graphite Automations

"Add consumer team as reviewer" took an action on this PR • (04/13/25)

1 reviewer was added to this PR based on Keith Williams's automation.

"Add community label" took an action on this PR • (04/13/25)

1 label was added to this PR based on Keith Williams's automation.

[cubic-dev-ai]

mrge found 16 issues across 16 files. View them in mrge.io

[cubic-dev-ai]

SVG lacks accessibility attributes (title and description) that would make it accessible to screen readers

[cubic-dev-ai]

Hardcoded 'true' value instead of using the isMicrosoftLoginEnabled prop

[cubic-dev-ai]

TODO comment left in production code

[Ryukemeister]

@cubic-dev-ai review this PR

[cubic-dev-ai]

@cubic-dev-ai review this PR

@Ryukemeister I have started the AI code review. It will take a few minutes to complete.

[cubic-dev-ai]

3 issues found across 19 files

Prompt for AI agents (all issues)

Check if these issues are valid — if so, understand the root cause of each and fix them.


<file name="packages/features/auth/lib/next-auth-options.ts">

<violation number="1" location="packages/features/auth/lib/next-auth-options.ts:998">
P1: Rule violated: **Avoid Logging Sensitive Information**

Logging the entire `user` object exposes PII (email) in error logs. Error-level logs are captured in production and could leak sensitive user information. Consider logging only non-PII identifiers or hashing the email for log correlation.</violation>

<violation number="2" location="packages/features/auth/lib/next-auth-options.ts:1250">
P1: Security: Missing SAML tenant validation when converting from GOOGLE to SAML. Other SAML conversions in this file validate that the SAML IdP has domain authority via `validateSamlAccountConversion()`. Without this check, any SAML provider could potentially hijack a Google-authenticated account.</violation>
</file>

<file name="apps/web/modules/auth/login-view.tsx">

<violation number="1" location="apps/web/modules/auth/login-view.tsx:44">
P3: Localize the Microsoft icon alt text instead of hardcoding English so it respects the app’s i18n requirements.</violation>
</file>

_{Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review.}

[Ryukemeister]

@cubic-dev-ai can you update the PR description?

[cubic-dev-ai]

I've reviewed the PR changes and prepared an updated description. Since I cannot directly modify the GitHub PR body, here's a comprehensive updated description you can copy to replace the current one:

---

What does this PR do?

Enables Microsoft authentication for Cal.com, allowing users to sign up and log in using their Microsoft accounts (Azure AD). This builds upon #16873 by @hbjORbj.

Key Changes

Authentication:

• Azure AD OAuth provider via NextAuth
• New IdentityProvider.AZUREAD enum value with database migration
• xms_edov claim validation for email domain verification (handles work/school and personal accounts)
• Proper identity provider mapping for azure-ad provider

UI:

• "Continue with Microsoft" button on login and signup pages
• Accessible Microsoft logo SVG with ARIA attributes

Profile Features:

• Profile photo sync from Microsoft Graph API
• Office 365 calendar auto-linking for org users during signup

Infrastructure:

• New environment variables: OUTLOOK_LOGIN_ENABLED, OUTLOOK_API_CREDENTIALS, OUTLOOK_CLIENT_ID, OUTLOOK_CLIENT_SECRET, AZURE_AD_TENANT_ID
• SSO route handling to map "microsoft" → signIn("azure-ad")
• Onboarding E2E tests for AZUREAD

Environment Variables

OUTLOOK_LOGIN_ENABLED=false
OUTLOOK_API_CREDENTIALS=   # JSON credentials from Azure portal
OUTLOOK_CLIENT_ID=
OUTLOOK_CLIENT_SECRET=
AZURE_AD_TENANT_ID=        # Use "common" for multi-tenant

How to Test

1. Set up Azure AD app in Azure Portal
2. Configure redirect URI: {WEBAPP_URL}/api/auth/callback/azure-ad
3. Set environment variables and OUTLOOK_LOGIN_ENABLED=true
4. Verify the Microsoft button appears and OAuth flow works

[cubic-dev-ai]

1 issue found across 1 file (changes from recent commits).

Prompt for AI agents (all issues)

Check if these issues are valid — if so, understand the root cause of each and fix them.


<file name="packages/features/auth/lib/next-auth-options.ts">

<violation number="1" location="packages/features/auth/lib/next-auth-options.ts:877">
P1: Rule violated: **Avoid Logging Sensitive Information**

Do not log the full `existingUser` object because it includes PII (email, name, etc.). Log only non-sensitive identifiers instead.</violation>
</file>

_{Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review.}

[Ryukemeister]

this was causing outlook login to crash because of cookie overload

[Ryukemeister]

cubic rightly pointed out this was a bug

[hbjORbj]

Putting to draft as it needs some design refinements discussed internally