How To
ForgeRock Identity Cloud

Microsoft SSO integration with Identity Cloud for social authentication/registration

Last updated Jan 17, 2023

The purpose of this article is to provide information on configuring ForgeRock Identity Cloud to integrate with Microsoft® as a social identity provider using OpenID Connect (OIDC) for Single Sign-On (SSO).


This article describes how to configure Identity Cloud to use Microsoft as a social identity provider for authentication and/or registration. Identity Cloud provides a standards-based solution for Microsoft social sign-on based on OIDC standards. Once configured, users can sign in to applications and websites protected by Identity Cloud using their Microsoft accounts.

Steps involved:

  1. Configure Microsoft Azure
  2. Configure the Social Identity Provider in Identity Cloud
  3. Create the end user journey
  4. Test the end user experience


Configuring Microsoft Azure


ForgeRock assumes no responsibility for errors or omissions in the third-party software or documentation.

Register an Azure application 

  1. Sign in to the Microsoft Azure portal.
  2. Open Azure Active Directory.
  3. Register an Azure app by following the instructions in Microsoft's Quickstart: Register an application with the Microsoft identity platform. When registering an Azure app for Identity Cloud, use the following configuration:
    • Register the app.
    • Configure platform settings. Select Web as the platform.
    • Add a redirect URI. This is the path that users are redirected to after they have authenticated with Microsoft, for example, https://<tenant-env-fqdn>/login.
    • Add a client secret. Microsoft recommends that you set an expiration value of less than 12 months.
  4. Make a note of the Client Secret and Application (client) ID. You'll need this information when you configure the Microsoft social identity provider in Identity Cloud.

Client secret values can only be viewed immediately after creation, so be sure to save the value before leaving the page.

Configuring the Social Identity Provider in Identity Cloud

  1. In the Identity Cloud admin UI, go to Native Consoles > Access Management > Services > Social Identity Provider Service.
  2. Choose Secondary Configurations, click Add a Secondary Configuration, and select Client configuration for Microsoft.
  3. Complete the following configuration:
    • Name: Enter a name for the social identity provider, for example, Microsoft.
    • Client ID: Enter the Application (client) ID of your Azure app.
    • Redirect URL: Enter the redirect URL for your app. This must match the Redirect URI you configured with the Azure app, for example https://<tenant-env-fqdn>/login.
    • Scope Delimiter: Enter the scope delimiter, which is usually an empty space.
  1. Click Create.

The full configuration for the new Microsoft social identity provider is displayed.

  1. Enter the Client Secret for your Azure app in the Client Secret field.
  2. Check that the rest of the default settings are correct. In particular, check the following fields:
    • Enabled: Ensure the configuration is enabled.
    • Transform Script: Ensure that Microsoft Profile Normalization is entered. This script transforms Microsoft credential data into a normalized form.
  3. Click Save Changes.

Creating the end user journey

You can create custom end user journeys for social registration and sign in. These journeys will include all your enabled social identity providers, so you won't need to create different journeys for different providers.

See How do I create end user journeys for social registration and login in Identity Cloud? for information on how to create end user journeys for SSO with social providers.

Testing the end user experience

  1. In the Identity Cloud admin UI, go to Journeys.
  2. Click the journey that you want to test.
  3. Copy the Preview URL.
  4. Paste the preview URL into a browser using Incognito or Browsing mode.
  5. Follow the sign in and/or registration steps to test your journey.

For example, if Microsoft is configured as a social identity provider for social login, end users are asked if they want to authenticate with their Microsoft account, similar to the screenshot below. 

See Also

How do I create end user journeys for social registration and login in Identity Cloud?

Does the ForgeRock solution support social authentication?

Single Sign-On Integrations for Identity Cloud

Identity Cloud documentation:

Other social integrations:

Copyright and Trademarks Copyright © 2023 ForgeRock, all rights reserved.