ContextQMD
Back to Lobehub

Configuring Microsoft Authentication for LobeHub

docs/self-hosting/auth/providers/microsoft.mdx

2.1.563.7 KB
Original Source

Configuring Microsoft Authentication

<Steps> ### Create a Microsoft Entra ID Application
  1. Go to Microsoft Entra Admin Center
  2. Navigate to Identity > Applications > App registrations > New registration
  3. Fill in the application name
  4. Choose supported account types:
    • Single tenant: Only users in your organization
    • Multitenant: Users in any Azure AD organization
    • Multitenant + personal: Also includes personal Microsoft accounts
<Image alt="App Register" inStep src="https://github.com/lobehub/lobehub/assets/13883964/4f9d83bd-b3fc-4abc-bcf4-ccbad65c219d" />

Configure Redirect URI

In the Redirect URI section:

  1. Select Web as the platform
  2. Enter the callback URL

<Callout type={'info'}> Callback URL format:

- Local development: `http://localhost:3210/api/auth/callback/microsoft`
- Production: `https://your-domain.com/api/auth/callback/microsoft`
</Callout>

Click Register.

Get Application Credentials

After creation, view the Overview tab:

<Image alt="App Overview" inStep src="https://github.com/lobehub/lobehub/assets/13883964/48a0b702-05bd-4ce4-a007-a8ad00a36e5a" />

Note down:

  • Application (client) ID - This is your AUTH_MICROSOFT_ID
  • Directory (tenant) ID - Needed for single-tenant apps

Create Client Secret

  1. Go to Certificates & secrets > Client secrets
  2. Click New client secret
  3. Fill in description and select expiration time
  4. Click Add
<Image alt="Create App Client Secret" inStep src="https://github.com/lobehub/lobehub/assets/13883964/c9d66fa0-158c-4bd3-a1fa-969e638259d2" />

<Callout type={'warning'}> Copy the client secret Value immediately - you won't be able to see it again. </Callout>

Configure Environment Variables

Environment VariableTypeDescription
AUTH_SECRETRequiredSession encryption key, generate with openssl rand -base64 32
AUTH_SSO_PROVIDERSRequiredSet to microsoft
AUTH_MICROSOFT_IDRequiredApplication (client) ID
AUTH_MICROSOFT_SECRETRequiredClient secret value
AUTH_MICROSOFT_AUTHORITY_URLOptionalAuthority URL for Microsoft Entra ID
AUTH_MICROSOFT_TENANT_IDOptionalDirectory (tenant) ID for single-tenant apps

<Callout type={'info'}> Alternative Environment Variables: For backward compatibility, these aliases are also supported:

- `AUTH_MICROSOFT_ENTRA_ID_ID` / `AUTH_MICROSOFT_ENTRA_ID_SECRET`
- `AUTH_AZURE_AD_ID` / `AUTH_AZURE_AD_SECRET`
- `AZURE_AD_CLIENT_ID` / `AZURE_AD_CLIENT_SECRET`
</Callout>

<Callout type={'tip'}> Go to 📘 Environment Variables for detailed information. </Callout> </Steps>

<Callout type={'info'}> After successful deployment, users will be able to authenticate with Microsoft and use LobeHub. </Callout>

Common Issues

Client Secret Expiration

Microsoft client secrets have a maximum validity of 24 months. Remember to rotate secrets before they expire.