Microsoft Social Identity Provider


Microsoft as a social identity provider requires access over secure HTTP (HTTPS). This example assumes that you've configured IDM on Substitute your URL for

Set Up Microsoft

For Microsoft documentation on how to set up a social identity provider, navigate to the following article: Sign-in Microsoft Account & Azure AD users in a single app . You'll need a Microsoft account.

To set up Microsoft as a social identity provider:

  • Navigate to the Microsoft app registration portal at and sign in with your Microsoft account.

  • Select Add an App and give your app a name.

    The portal will assign your app a unique Application ID.

  • To find your Application Secret, select Generate New Password. That password is your Application Secret.


    Save your new password. It is the only time you'll see the Application Secret for your new app.

  • Select Add Platform. You'll choose a Web platform, enable Allow Implicit Flow and set up the following value for Redirect URI:


If desired, you can also enter the following information:

  • Logo image

  • Terms of Service URL

  • Privacy Statement URL

The OAuth2 credentials for your new Microsoft App include an Application ID and Application Secret for your app.

Configure a Microsoft Social Identity Provider

  1. To configure a Microsoft social identity provider, log in to the Admin UI and navigate to Configure > Social ID Providers.

  2. Enable the Microsoft social identity provider.

    In the Microsoft Provider pop-up that appears, the values for Redirect URI should match the values that you've entered for Allowed Return URLs in "Set Up Microsoft".

  3. Include the values that Microsoft created for Client ID and Client Secret, as described in "Set Up Microsoft".

  4. Under regular and Advanced Options, include the options shown in the following appendix: "Microsoft Social Identity Provider Configuration Details".

When you enable a Microsoft social identity provider in the Admin UI, IDM generates the identityProvider-microsoft.json file in your project's conf/ subdirectory.

It includes parts of the file that you may have configured through the Admin UI. While the labels in the UI specify Application ID and Application Secret, you'll see them as clientId and clientSecret, respectively, in the configuration file.

"provider" : "microsoft",
   "authorizationEndpoint" : "",
   "tokenEndpoint" : "",
   "userInfoEndpoint" : ""
   "clientId" : "<someUUID>",
   "clientSecret" : {
       "$crypto" : {
           "type" : "x-simple-encryption",
           "value" : {
               "cipher" : "AES/CBC/PKCS5Padding",
               "stableId" : "openidm-sym-default",
               "salt" : "<hashValue>",
               "data" : "<encryptedValue>",
               "keySize" : 16,
               "purpose" : "idm.config.encryption",
               "iv" : "<encryptedValue>",
               "mac" : "<hashValue>"
   "scope" : [

You should also see UI settings related to the social identity provider icon (badge) and the sign-in button, described in "Social Identity Provider Button and Badge Properties".

You'll see links related to the authenticationIdKey, redirectUri, and configClass; the location may vary.

The file includes schema information, which includes properties for each social identity account, as collected by IDM, as well as the order in which it appears in the Admin UI. When you've registered a user with a Microsoft social identity, you can verify this by selecting Manage > Microsoft, and then selecting a user.

Another part of the file includes a propertyMap, which maps user information entries between the source (social identity provider) and the target (IDM).

If you need more information about the properties in this file, refer to the following appendix: "Microsoft Social Identity Provider Configuration Details".

Configure User Registration to Link to Microsoft

Once you've configured the Microsoft social identity provider, you can activate it through User Registration. To do so in the Admin UI, select Configure > User Registration, and activate that feature. Under the Social tab that appears, enable Social Registration. For more information on IDM user self-service features, see "Self-Service End User UI".

When you enable Social Registration, you're allowing users to register on IDM through all active social identity providers.

Microsoft Social Identity Provider Configuration Details

You can set up the Microsoft social identity provider through the Admin UI or in a conf/identityProvider-microsoft.json file. IDM generates the identityProvider-microsoft.json file when you configure and enable this social identity provider in the Admin UI. Alternatively, you can create the file manually.

The following table includes the information shown in the Admin UI Microsoft Provider pop-up window, along with associated information in the identityProvider-microsoft.json file:

Microsoft Social Identity Provider Configuration Properties
Property (UI)Property (JSON file)Description
Application IDclientIdThe client identifier for your Microsoft App
Application SecretclientSecretUsed with the Application ID; shown as application password
ScopescopeOAuth 2 scopes; for more information, see Microsoft Graph Permission Scopes.
Authorization EndpointauthorizationEndpointTypically
Token EndpointtokenEndpointEndpoint that receives a one-time authorization code and returns an access token; typically
User Info EndpointuserInfoEndpointEndpoint that transmits scope-related fields; typically
Not in the Admin UInameName of the social identity provider
Not in the Admin UItypeAuthentication module
Not in the Admin UIauthenticationIdAuthentication identifier, as returned from the User Info Endpoint for each social identity provider
Not in the Admin UIpropertyMapMapping between Microsoft and IDM

For information on social identity provider buttons and badges, see "Social Identity Provider Button and Badge Properties".

Read a different version of :