New provider(s) for Microsoft Entra

[andrem0]

Goals

1. Support and compatibility for Microsoft Entra ID
2. Support and compatibility for Microsoft Entra ID for customers
3. Alternative: Updated documentation on the current implementations on how to achieve compatibility with Entra

Non-Goals

No response

Background

Current Azure Active Directory and Azure Active Directory B2C does not work out of the box with Microsoft Entra ID and Microsoft Entra ID for customers.

Proposal

Modify the current implementations of AD, and create new providers for both Entra variants.

[merill]

Folks, I'm a customer experience PM from the Microsoft Entra team (formerly Azure AD) and would like to continue this discussion.

I have discussed internally with my colleagues at Microsoft and would like to propose the following.

Microsoft currently has three offerings:

• Microsoft Entra ID (for workforce/enterprise) - (formerly Azure AD)
• Microsoft Entra External ID (for consumers - CIAM) (New offering from Microsoft which is an alternative to Azure AD B2C)
• Azure AD B2C

Our proposal is

• No change to providers/azure-ad-b2c
• Rename providers/azure-ad to providers/entra and include 'issuerid' as a parameter so it works with both Entra ID and Entra External ID

Thoughts? @balazsorban44 @ThangHuuVu @andrem0

[KasparKipp]

The current v4 azure-ad provider needed the small change as described above to get it working with Entra External Id.
Looking at the v5 branch the change is there with a minor exception, the tenantId and oauth version not being appended to the issuer so would need to be handled manually when passing options to the provider.

I think renaming the azure-ad provider is a welcome idea (as well as writing the documentation for easier adoption), when keeping in mind that anyone currently running v5 in production and passing the issuer with prepended /<TENANT_ID>/v2.0 would have to deal with the changes.

Also I'm not entirely sure that #9718 will not break the provider for the Entra External Id use case.

Whatever the case, if this here gets turned into an issue I'd be happy to pick it up, make the required changes and add documentation to both maintained branches.

[FelixKahle]

Are there any updates on this topic? It’s hard to find any information about how to use both Microsoft Entra ID for customers with NextAuth.

[danieldanielecki]

https://github.com/vesas/authjs-base looks like an example?

[NjengaFelix]

Microsoft Entra ID External (Tested on Microsoft Entra ID v2 and Next-Auth v5.0.0-beta.20)

I have successfully set up Microsoft Entra ID External using Next-Auth.

Background on Microsoft Azure AD / Microsoft Entra ID with Next-Auth

Configuring Microsoft Azure AD / Microsoft Entra ID can be challenging because Microsoft does not fully adhere to OAuth2 standards and best practices. Next-Auth, at the moment, is not willing to customize specifically for Microsoft. In this case, I agree with Next-Auth; Microsoft should comply with standards. This non-compliance results in a poor developer and integration experience.

Microsoft Offerings

Microsoft currently has three offerings:

1. Microsoft Entra ID (for workforce/enterprise) - formerly Azure AD
2. Microsoft Entra External ID (for consumers - CIAM) - a new offering from Microsoft, an alternative to Azure AD B2C
3. Azure AD B2C

Next-Auth Providers

As of Next-Auth v5.0.0-beta.20, three providers are offered:

1. Azure AD (deprecated)
2. Azure AD B2C
3. Microsoft Entra ID

I suggest using Microsoft Entra ID and ignoring the other providers.

Callback

# development on next-js
http://localhost:3000/api/auth/callback/microsoft-entra-id
# production 
https://example.com/api/auth/callback/microsoft-entra-id

Environment Variables

Note that the environment variables below are based on Next.js. The $ symbol is used to concatenate the variables within the environment file. In Next.js development, this is done in the .env.local file.

AUTH_SECRET= 
AUTH_MICROSOFT_ENTRA_ID_ID= 
AUTH_MICROSOFT_ENTRA_ID_SECRET= 
AUTH_MICROSOFT_ENTRA_ID_TENANT_ID= 
AUTH_MICROSOFT_ENTRA_ID_TENANT_SUB_DOMAIN= 
AUTH_MICROSOFT_ENTRA_ID_ISSUER=https://$AUTH_MICROSOFT_ENTRA_ID_TENANT_ID.ciamlogin.com/$AUTH_MICROSOFT_ENTRA_ID_TENANT_ID/v2.0
AUTH_MICROSOFT_ENTRA_ID_TOKEN=https://$AUTH_MICROSOFT_ENTRA_ID_TENANT_SUB_DOMAIN.ciamlogin.com/$AUTH_MICROSOFT_ENTRA_ID_TENANT_ID/oauth2/v2.0/token
AUTH_MICROSOFT_ENTRA_ID_USERINFO=https://graph.microsoft.com/oidc/userinfo
AUTH_MICROSOFT_ENTRA_ID_AUTHORIZATION_URL=https://$AUTH_MICROSOFT_ENTRA_ID_TENANT_SUB_DOMAIN.ciamlogin.com/$AUTH_MICROSOFT_ENTRA_ID_TENANT_ID/oauth2/v2.0/authorize

# AUTH_SECRET
npx auth secret

Microsoft Entra ID external environment variables

Here is a guideline on how to get the proper Microsoft Entra ID external resources:

Visit entra.microsoft.com.
Switch to your external tenant.

# This environment variable represents your application client_id
# located in the path Applications > App registrations > All Applications > <select your application>
AUTH_MICROSOFT_ENTRA_ID_ID

# This environment variable represents your tenant_id
# located in the path Applications > App registrations > All Applications > <select your application>
AUTH_MICROSOFT_ENTRA_ID_TENANT_ID

# This environment variable represents your application client_secret
# located in the path Applications > App registrations > All Applications > <select your application> Certificates & Secrets
AUTH_MICROSOFT_ENTRA_ID_SECRET

# This environment variable represents your tenant subdomain
# located in the Settings (switch tenant section)
# If the tenant domain is trialexternaltenant.onmicrosoft.com, the subdomain is trialexternaltenant
AUTH_MICROSOFT_ENTRA_ID_TENANT_SUB_DOMAIN

# This environment variable represents your issuer
# located in the path Applications > App registrations > All Applications > <select your application> Endpoints > Authority URL
AUTH_MICROSOFT_ENTRA_ID_ISSUER

# The environment variables below are fetched from the /.well-known/openid-configuration
AUTH_MICROSOFT_ENTRA_ID_TOKEN
AUTH_MICROSOFT_ENTRA_ID_USERINFO
AUTH_MICROSOFT_ENTRA_ID_AUTHORIZATION_URL

Microsoft Entra ID External scopes

Next-Auth configuration

providers: [
    MicrosoftEntraID({
      clientId: process.env.AUTH_MICROSOFT_ENTRA_ID_ID,
      clientSecret: process.env.AUTH_MICROSOFT_ENTRA_ID_SECRET,
      tenantId: process.env.AUTH_MICROSOFT_ENTRA_ID_TENANT_ID,
      issuer: process.env.AUTH_MICROSOFT_ENTRA_ID_ISSUER,
      token: process.env.AUTH_MICROSOFT_ENTRA_ID_TOKEN,
      userinfo: process.env.AUTH_MICROSOFT_ENTRA_ID_USERINFO,
      authorization: {
        url: process.env.AUTH_MICROSOFT_ENTRA_ID_AUTHORIZATION_URL,
        params: {
          scope: "openid profile email User.Read offline_access",
        },
      },
    }),
  ],

DONT WASTE YOUR TIME

NOTE: The issuer as of next-auth v5 v5.0.0-beta.20 is configurable; please include it directly as highlighted above. The issuer needs to be copied exactly as it is. Failure to do so will result in next-auth throwing an invalid issuer error when the callback URL is run, which can be persistently annoying and difficult to spot.

NOTE: The wellKnown option is not configurable; therefore, you must set the token and userinfo endpoints. Failure to do so will result in next-auth checking against incorrect token and userinfo endpoints when the callback URL is run.