From 2c1396b141c8786a7c95d235cc3acf208f02b0f9 Mon Sep 17 00:00:00 2001 From: Bart Read Date: Thu, 3 Oct 2024 17:16:55 +0100 Subject: [PATCH] Added example for SaaS scenario where you want to allow sign-up/login for any tenant, and possibly consumers as well. --- docs/docs/providers/azure-ad.md | 44 ++++++++++++++++++++++++++++++++- 1 file changed, 43 insertions(+), 1 deletion(-) diff --git a/docs/docs/providers/azure-ad.md b/docs/docs/providers/azure-ad.md index cd203b267a..0d9f6ed44a 100644 --- a/docs/docs/providers/azure-ad.md +++ b/docs/docs/providers/azure-ad.md @@ -45,7 +45,7 @@ AZURE_AD_CLIENT_SECRET= AZURE_AD_TENANT_ID= ``` -That will default the tenant to use the `common` authorization endpoint. [For more details see here](https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-v2-protocols#endpoints). +That will default the tenant to use the `common` authorization endpoint. However, if you've configured your app as multi-tenant, users outside of your tenant will *only* be able to log in if you've configured them as external users within Azure. [For more details see here](https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-v2-protocols#endpoints). :::note When you see `ResourceNotFound` error code while accessing an API, make sure to use the correct tenant ID. For instance, when the intended access is for a personal account, the tenant ID should not be provided. @@ -71,3 +71,45 @@ providers: [ ... ``` + +### To allow users from any tenant access without adding them as "external users": + +- In https://portal.azure.com/ search for "Microsoft Entra ID", and select your organization. +- Next, in the left menu expand the "Manage" accordion and then go to "App Registration" , and create a new one. +- Pay close attention to "Who can use this application or access this API?" + - You'll want to select either all azure tenants (i.e., work and school accounts), or all azure tenants and public Microsoft accounts (Skype, Xbox, Outlook.com, etc.) +- When asked for a redirection URL, select the platform type "Web" and use `https://yourapplication.com/api/auth/callback/azure-ad` or for development `http://localhost:3000/api/auth/callback/azure-ad`. +- After your App Registration is created, under "Client Credential" create your Client secret. +- Now copy your: + - Application (client) ID + - Client secret (value) + +In `.env.local` create the following entries: + +``` +AZURE_AD_CLIENT_ID= +AZURE_AD_CLIENT_SECRET= +``` + +That will default to use the `common` authorization endpoint. This means that users from tenants other than your own will be able to sign up and/or log in to your app, which is often the case if you're building a SaaS. [For more details see here](https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-v2-protocols#endpoints). + +:::note +Azure AD returns the profile picture in an ArrayBuffer, instead of just a URL to the image, so our provider converts it to a base64 encoded image string and returns that instead. See: https://docs.microsoft.com/en-us/graph/api/profilephoto-get?view=graph-rest-1.0#examples. The default image size is 48x48 to avoid [running out of space](https://next-auth.js.org/faq#:~:text=What%20are%20the%20disadvantages%20of%20JSON%20Web%20Tokens%3F) in case the session is saved as a JWT. +::: + +In `pages/api/auth/[...nextauth].js` find or add the `AzureAD` entries: + +```js +import AzureADProvider from "next-auth/providers/azure-ad"; + +... +providers: [ + AzureADProvider({ + clientId: process.env.AZURE_AD_CLIENT_ID, + clientSecret: process.env.AZURE_AD_CLIENT_SECRET, + }), +] +... + +``` +