Azure AD OpenID Connect

Configure OpenID Connect with Azure Active Directory

FusionAuth’s OpenID Connect flow currently only supports Azure Active Directory v1.0.

Azure Active Directory v2.0 returns inconsistent claims from the UserInfo endpoint depending on the type of Microsoft account the end-user has. See this open issue for reference.

The email address is required to be returned on the Userinfo endpoint, without this identity claim FusionAuth cannot complete login. Currently the https://graph.microsoft.com/oidc/userinfo endpoint does not necessarily return the email address of the user even when requesting the openid and email scopes. These scopes do provide the email claim in the returned access_token and id_token but are omitted from the Userinfo response.

Once you have completed this configuration you may enable an OpenID Connect "Login with Azure AD" button for one or more FusionAuth Applications. See Azure - Register An App Quickstart Guide as an additional reference.

Login with Azure AD

Register a New Azure Active Directory Application

You will first need to login to the Azure Portal.

Once logged in, navigate to Azure Active Directory → App Registrations → New Registration to create a new Azure Active Directory Application.

Register a new Azure AD Application

Here we have configured our application Redirect URI. If FusionAuth is running at https://local.fusionauth.io, this value should be https://local.fusionauth.io/oauth2/callback.

Azure AD Client ID and Tenant ID

Once the application has been created, note the Application (client) ID and the Directory (tenant) ID. These will be used respectively as the Client Id value and to construct the Issuer value in your FusionAuth OpenID Connect Identity Providers configuration.

Create a New Azure Active Directory Application Secret

Navigate to Azure Active Directory → App Registrations → {Your Application} → Certificates & secrets → New client secret to create a new Azure Active Directory Application Client Secret.

Azure AD Client Secret

Note the VALUE of the created client secret. This will be used as the Client secret value in your FusionAuth OpenID Connect Identity Providers configuration.

Configure a New FusionAuth OpenID Connect Identity Provider

To create an Azure AD Identity Provider return to FusionAuth and navigate to Settings → Identity Providers and click Add provider and select OpenID Connect from the dialog.

This will take you to the Add OpenID Connect panel, and you’ll fill out the required fields.

You will need to set Client authentication method to HTTP Basic authentication (client_secret_basic).

Client Id and Client secret values reference the previously noted Azure AD Application’s Application (client) ID, client secret VALUE. The Redirect URL is read only and generated for you based upon the URL of FusionAuth, this value should match the one you configured in your Azure application.

Azure AD has implemented a well-known configuration endpoint, FusionAuth will be able to discover the necessary endpoints when you provide the URL https://login.microsoftonline.com/{tenantId} to the provider in the Issuer field, where {tenantId} is the Directory (tenant) ID previously noted while creating our Azure AD Application.

You will need to specify openid as a Scope for your application.

In the following screenshot you will see that we have enabled this login provider for the Hooli application and enabled Create registration.

That’s it, now the Login with Azure AD button will show up on the login page of our Hooli application.

FusionAuth Azure AD IdP Configuration