Azure AD OpenID Connect
Configure OpenID Connect with Azure Active Directory
Once you have completed this configuration you may enable an OpenID Connect "Login with Azure AD" button for one or more FusionAuth Applications. See Azure - Register An App Quickstart Guide as an additional reference.

Register a New Azure Active Directory Application
You will first need to login to the Azure Portal.
Once logged in, navigate to
to create a new Azure Active Directory Application.
Here we have configured our application Redirect URI
. If FusionAuth is running at https://local.fusionauth.io
, this value should be https://local.fusionauth.io/oauth2/callback
.

Once the application has been created, note the Application (client) ID
and the Directory (tenant) ID
. These will be used respectively as the Client Id value and to construct the Issuer value in your FusionAuth OpenID Connect Identity Provider configuration.
Create a New Azure Active Directory Application Secret
Navigate to
to create a new Azure Active Directory Application Client Secret.
Note the VALUE
of the created client secret. This will be used as the Client secret value in your FusionAuth OpenID Connect Identity Provider configuration.
Configure a New FusionAuth OpenID Connect Identity Provider
To create an Azure AD Identity Provider return to FusionAuth and navigate to Add provider
and select OpenID Connect
from the dialog.
This will take you to the Add OpenID Connect
panel, and you’ll fill out the required fields.
You will need to set Client authentication method to HTTP Basic authentication (client_secret_basic)
.
Client Id and Client secret values reference the previously noted Azure AD Application’s Application (client) ID
, client secret VALUE
. The Redirect URL is read only and generated for you based upon the URL of FusionAuth, this value should match the one you configured in your Azure application.
Azure AD has implemented a well-known configuration endpoint, FusionAuth will be able to discover the necessary endpoints when you provide the URL https://login.microsoftonline.com/{tenantId}
to the provider in the Issuer
field, where {tenantId}
is the Directory (tenant) ID
previously noted while creating our Azure AD Application.
You may set a Reconcile lambda to map attributes from the JWT provided by Azure AD to the FusionAuth user or registration. This is optional. Learn more about lambdas. You may also modify the Button text or Button logo if desired.
You will need to specify openid
as a Scope and email
as the Email claim for your application.

Scroll down and make sure you enable this Identity Provider for your application. In the following screenshot you will see that we have enabled this login provider for the Pied Piper
application and enabled Create registration
.

That’s it, now the Login with Azure AD
button will show up on the login page of our Pied Piper
application.