Microsoft Authentication

Discourse · October 19, 2016, 10:28am

Hosted by us? This plugin is available on our Business and Enterprise plans. Amazon & Microsoft Logins | Discourse - Civilized Discussion

Summary

Microsoft Authentication enables users to log in to your Discourse forum using their Microsoft accounts (also known as Office 365 or Microsoft 365 accounts). This simplifies the login process for organizations that use Microsoft services.

Features

Allows users to log in with their Microsoft credentials
Supports both multi-tenant and single-tenant configurations
Integrates with Microsoft Azure Active Directory
Simplifies user registration and login

Configuration

To set up Microsoft Authentication for your Discourse forum:

Visit Azure Portal’s App Registration page
Register a new application:
- Choose a name (typically your site name)
- Under “Supported account types,” select the most permissive option for your needs
Account types selection945×241 30.5 KB
Add your site as a Redirect URI for Web in this format:
- https://your.discourse.forum/auth/microsoft_office365/callback
Adding redirect URI909×151 20.5 KB
Save your changes
Visit Certificates & secrets in the left sidebar menu and click New client secret
- Add a simple description
- Choose 24 months under “Expires” (note: you’ll need to renew it)
- Copy the Value (this is the Application Secret) and save it for your plugin settings
Visit Overview (in the left sidebar) and copy the Application (client ID)
In your Discourse admin area, go to Settings and search for “microsoft auth”
Enter the Application ID and Secret from the previous steps

Single-tenant authentication issues

If you’ve configured your Microsoft application as single_tenant, some users may experience issues when logging in. This happens because the emails used for login are considered untrusted, and the system cannot automatically link them to existing Discourse accounts.

To resolve this issue, users can:

Look for the “Already have an account?” section at the bottom of the signup form
Click the provided link to go through the account link-up process
Complete the authentication steps to connect their Microsoft account to their existing Discourse account

Another option is to enable the microsoft auth email verified site setting, if admins are confident that all your users have verified emails.This ensures that returning users with existing accounts don’t create duplicate accounts when authenticating through Microsoft.

Additional configuration options

You can update all Microsoft Authentication settings by visiting the Admin > Settings area and searching for “microsoft auth”.

For single-tenant setups, you’ll need your tenant ID, which you can find in the Azure Portal tenant properties.

Additional resources

Potential account take over due to unverified emails from Microsoft Identity Platform · Advisory · discourse/discourse-microsoft-auth · GitHub

Last edited by @jessii 2025-05-20T20:46:47Z

Check document
Perform check on document:

시온_강 · September 1, 2023, 1:39am

I’m having trouble using that plugin.
Could you please give me some advice?

nathank · September 10, 2023, 1:24am

As I’ve gotten tripped up (again) when updating my config for this plugin, I’ve made this PR:

The issue is that the Microsoft app panel serves up three likely looking fields for the ‘Secret’ - Client ID Value and ‘Secret ID’. Without guidance, I have chosen the wrong one on both occasions that I’ve tackled this, and suspect I’m not alone!

moggleif · January 10, 2024, 9:21am

Just tried this plugin and it doesn’t work for single tenant.

Why?

github.com

discourse/discourse-microsoft-auth/blob/main/lib/omniauth-microsoft365.rb

# frozen_string_literal: true

require "omniauth/strategies/oauth2"

module OmniAuth
  module Strategies
    class MicrosoftOffice365 < OmniAuth::Strategies::OAuth2
      option :name, :microsoft_office365

      DEFAULT_SCOPE = "openid email profile https://graph.microsoft.com/User.Read"

      option :client_options,
             site: "https://login.microsoftonline.com",
             authorize_url: "/common/oauth2/v2.0/authorize",
             token_url: "/common/oauth2/v2.0/token"

      option :authorize_options, [:scope]

      uid { raw_info["id"] }

This file has been truncated. show original

option :client_options,
             site: "https://login.microsoftonline.com",
             authorize_url: "/common/oauth2/v2.0/authorize",
             token_url: "/common/oauth2/v2.0/token"

The word “common” is the issue.
Seems like that needs to be replaced by the tenant ID for the single tenant.
If you have an MS account you will find your tenant ID here: Microsoft Azure

I haven’t tried to do the change my own, yet. Perhaps I will.
If not, anyone else thinking to use this for single tenant, you don’t have to try, it will not work currently.

See attached image below as an example what kind of error you will get.

moggleif · January 10, 2024, 1:22pm

Ok, I have never coded with Ruby, and it was some years ago with coding and working with technical things. But, it’s done. And it works now also for Single Tenant setups.

pmusaraj · February 27, 2025, 3:59pm

Sorry for the very very late follow up here, the PR above is now merged!

moggleif · February 27, 2025, 4:20pm

Wohoo!

My first contriution to the community. Not the last, I think.

Topic		Replies	Views
OAuth2 and Microsoft ADFS Support	15	7806	October 19, 2021
Discourse Apple Authentication Plugin official , auth-plugins , apple-auth	8	6788	April 10, 2025
Discourse OpenID Connect (OIDC) Plugin official , openid-connect , auth-plugins	37	44420	May 28, 2025
Set up Microsoft Teams notifications using the discourse-chat-integration plugin Integrations chat-integration , how-to	27	5205	August 19, 2024
Login to Discourse with custom Oauth2 provider Feature oauth2 , completed	24	273953	July 6, 2020