Skip to content
Migrating from NextAuth.js v4? Read our migration guide.
Getting Started
Microsoft Entra Id

Microsoft Entra ID


Microsoft has renamed Azure AD to Microsoft Entra ID, more information about the new name can be found here.



Callback URL

Environment Variables



import NextAuth from "next-auth"
import Entra from "next-auth/providers/microsoft-entra-id"
const { handlers, auth, signin, signout } = NextAuth({
  providers: [
      clientId: process.env.AUTH_MICROSOFT_ENTRA_ID_ID,
      clientSecret: process.env.AUTH_MICROSOFT_ENTRA_ID_SECRET,
      tenantId: process.env.AUTH_MICROSOFT_ENTRA_ID_TENANT_ID,


  1. Allow only Specific Active Directory Users
  • In select Identity from the left bar menu.
  • Next, go to “App Registration” in the left menu, and create a new one.
  • Pay close attention to “Who can use this application or access this API?”
    • This allows you to scope access to specific types of user accounts
    • Only your tenant, all Microsoft tenants, or all Microsoft tenants and public Microsoft accounts (Skype, Xbox,, etc.)
  • When asked for a redirection URL, use or for development http://localhost:3000/api/auth/callback/microsoft-entra-id.
  • After your App Registration is created, under “Client Credential” create your Client secret.
  • Now copy your:
    • Application (client) ID
    • Directory (tenant) ID
    • Client secret (value)

In .env.local create the following entries:

AUTH_MICROSOFT_ENTRA_ID_ID=<copy Application (client) ID here>
AUTH_MICROSOFT_ENTRA_ID_SECRET=<copy generated client secret value here>
AUTH_MICROSOFT_ENTRA_ID_TENANT_ID=<copy the tenant id here>

That will default the tenant to use the common authorization endpoint. For more details see here.

Auth.js © Balázs Orbán and Team - 2024