--- title: Microsoft social identity provider description: Microsoft as a social identity provider requires access over secure HTTP (HTTPS). This example assumes that you've configured IDM on https://openidm.example.com:8443. Substitute your URL for openidm.example.com. component: pingidm version: 7.5 page_id: pingidm:self-service-reference:social-providers/section-microsoft-social canonical_url: https://docs.pingidentity.com/pingidm/7.5/self-service-reference/social-providers/section-microsoft-social.html keywords: ["JSON", "Configuration", "Authentication", "Social Authentication", "Self-Service", "User Self-Service", "Social Identity"] section_ids: cdm-microsoft-setup: Set up Microsoft cdm-microsoft-socialID: Configure a Microsoft social identity provider cdm-microsoft-userreg: Configure user registration to link to Microsoft appendix-microsoft-social: Microsoft social identity provider configuration details --- # Microsoft social identity provider | | | | - | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | | | Social authentication is deprecated and will be removed in a future release of IDM. For more information, refer to [Deprecation](../../release-notes/deprecated-functionality.html#deprecated-standalone-socialid-auth). | | | | | - | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | Microsoft as a social identity provider requires access over secure HTTP (HTTPS). This example assumes that you've configured IDM on `https://openidm.example.com:8443`. Substitute your URL for `openidm.example.com`. | ## Set up Microsoft For Microsoft documentation on how to set up a social identity provider, navigate to the following article: [Sign-in Microsoft Account & Azure AD users in a single app](https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-appmodel-v2-overview). You'll need a Microsoft account. To set up Microsoft as a social identity provider: 1. Navigate to the [Microsoft app registration portal](https://apps.dev.microsoft.com/), and sign in with your Microsoft account. 2. Select Add an App, and give your app a name. The portal will assign your app a unique `Application ID`. 3. To find your *Application Secret*, select Generate New Password. The displayed password is your *Application Secret*. | | | | - | -------------------------------------------------------------------------------- | | | Store the *Application Secret* in a secure location, as you can't view it again. | 4. Select Add Platform, and enter the following details: * Web platform. * Enable Allow Implicit Flow * Redirect URI: `https://openidm.example.com:8443/` * Logo image (optional) * Terms of Service URL (optional) * Privacy Statement URL (optional) The `OAuth2` credentials for your new Microsoft App include an `Application ID` and `Application Secret` for your app. ## Configure a Microsoft social identity provider To configure a Microsoft social identity provider using the admin UI: 1. From the navigation bar, click Configure > Social ID Providers. 2. On the Social Identity Providers page, enable Microsoft. 3. In the Microsoft Provider window, enter applicable values in the fields, and click Save. For a complete list of fields, refer to [Microsoft Social Identity Provider Configuration Details](#appendix-microsoft-social). After you save the social identity provider configuration, IDM generates a `conf/identityProvider-microsoft.json` file: ```json "provider" : "microsoft", "authorizationEndpoint" : "https://login.microsoftonline.com/common/oauth2/v2.0/authorize", "tokenEndpoint" : "https://login.microsoftonline.com/common/oauth2/v2.0/token", "userInfoEndpoint" : "https://graph.microsoft.com/v1.0/me" "clientId" : "", "clientSecret" : { "$crypto" : { "type" : "x-simple-encryption", "value" : { "cipher" : "AES/CBC/PKCS5Padding", "stableId" : "openidm-sym-default", "salt" : "", "data" : "", "keySize" : 16, "purpose" : "idm.config.encryption", "iv" : "", "mac" : "" } } }, "scope" : [ "User.Read" ], ... ``` The file includes `schema` information, which includes properties for each social identity account, as collected by IDM, as well as the order in which it appears in the admin UI. When you've registered a user with a Microsoft social identity, you can verify this by selecting Manage > Microsoft, and then selecting a user. Another part of the file includes a `propertyMap`, which maps user information entries between the `source` (social identity provider) and the `target` (IDM). If you need more information about the properties in this file, refer to the following appendix: [Microsoft Social Identity Provider Configuration Details](#appendix-microsoft-social). ## Configure user registration to link to Microsoft Once you've configured the Microsoft social identity provider, you can activate it through User Registration. To do so in the admin UI, select Configure > User Registration, and activate that feature. Under the Social tab that appears, enable Social Registration. For more information on IDM user self-service features, refer to [Self-service end user UI](../end-user-ui.html). When you enable Social Registration, you're allowing users to register on IDM through all active social identity providers. ## Microsoft social identity provider configuration details You can set up the Microsoft social identity provider through the admin UI or in a `conf/identityProvider-microsoft.json` file. IDM generates the `identityProvider-microsoft.json` file when you configure and enable this social identity provider in the admin UI. Alternatively, you can create the file manually. The following table includes the information shown in the admin UI Microsoft Provider pop-up window, along with associated information in the `identityProvider-microsoft.json` file: **Microsoft social identity provider configuration properties** | Property (UI) | Property (JSON file) | Description | | ---------------------- | ----------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | Application ID | `clientId` | The client identifier for your Microsoft App | | Application Secret | `clientSecret` | Used with the Application ID; shown as application password | | Scope | `scope` | OAuth 2 scopes; for more information, refer to [Microsoft Graph Permission Scopes](https://developer.microsoft.com/en-us/graph/docs/authorization/permission_scopes). | | Authorization Endpoint | `authorizationEndpoint` | Typically `https://login.microsoftonline.com/common/oauth2/v2.0/authorize` | | Token Endpoint | `tokenEndpoint` | Endpoint that receives a one-time authorization code and returns an access token; typically `https://login.microsoftonline.com/common/oauth2/v2.0/token` | | User Info Endpoint | `userInfoEndpoint` | Endpoint that transmits scope-related fields; typically `https://graph.microsoft.com/v1.0/me` | | Not in the admin UI | `name` | Name of the social identity provider | | Not in the admin UI | `type` | Authentication module | | Not in the admin UI | `authenticationId` | Authentication identifier, as returned from the User Info Endpoint for each social identity provider | | Not in the admin UI | `propertyMap` | Mapping between Microsoft and IDM | For information on social identity provider buttons and badges, refer to [Social identity provider button and badge properties](appendix-social-badges.html).