Azure AD Provider

Resources

• AzureAD OAuth documentation
• AzureAD OAuth apps

Setup

Callback URL

https://example.com/api/auth/callback/azure-ad

Environment Variables

AUTH_AZURE_AD_ID
AUTH_AZURE_AD_SECRET
AUTH_AZURE_AD_TENANT_ID

Configuration

import NextAuth from "next-auth"
import AzureAd from "next-auth/providers/azure-ad"
 
export const { handlers, auth, signIn, signOut } = NextAuth({
  providers: [AzureAd],
})

To allow specific Active Directory users access:

• In https://portal.azure.com/ search for “Azure Active Directory”, and select your organization.
• Next, go to “App Registration” in the left menu, and create a new one.
• Pay close attention to “Who can use this application or access this API?”
  • This allows you to scope access to specific types of user accounts
  • Only your tenant, all azure tenants, or all azure tenants and public Microsoft accounts (Skype, Xbox, Outlook.com, etc.)
• When asked for a redirection URL, use https://yourapplication.com/api/auth/callback/azure-ad or for development http://localhost:3000/api/auth/callback/azure-ad.
• After your App Registration is created, under “Client Credential” create your Client secret.
• Click on “API Permissions” and click “Grant admin consent for…” to allow User.Read access to your tenant.
• Now copy your:
  • Application (client) ID
  • Directory (tenant) ID
  • Client secret (value)

In .env.local create the following entries:

AUTH_AZURE_AD_CLIENT_ID=<copy Application (client) ID here>
AUTH_AZURE_AD_CLIENT_SECRET=<copy generated client secret value here>
AUTH_AZURE_AD_TENANT_ID=<copy the tenant id here>

That will default the tenant to use the common authorization endpoint. For more details see here.

In pages/api/auth/[...nextauth].js find or add the AzureAD entries:

import AzureADProvider from "next-auth/providers/azure-ad"
 
providers: [
  AzureADProvider({
    clientId: process.env.AZURE_AD_CLIENT_ID,
    clientSecret: process.env.AZURE_AD_CLIENT_SECRET,
    tenantId: process.env.AZURE_AD_TENANT_ID,
  }),
]