Microsoft Auth

1. Register an App in Microsoft Entra ID

1. Go to the Azure Portal → Microsoft Entra ID → App registrations → New registration
2. Fill in:
   • Name — your app name
   • Supported account types — choose Accounts in any organizational directory and personal Microsoft accounts for the widest reach
   • Redirect URI — select Web and enter:
     • http://localhost:3000/api/auth/callback/microsoft (dev)
     • https://yourdomain.com/api/auth/callback/microsoft (prod)
3. Click Register
4. From the Overview page, copy the Application (client) ID — this is your MICROSOFT_CLIENT_ID
5. Go to Certificates & secrets → New client secret, set an expiry, and copy the Value — this is your MICROSOFT_CLIENT_SECRET

To restrict sign-in to a single tenant, copy the Directory (tenant) ID from the Overview page and set tenantId in src/features/auth/index.ts instead of 'common'.

2. Set Environment Variables

# .env.local
MICROSOFT_CLIENT_ID=your-application-client-id
MICROSOFT_CLIENT_SECRET=your-client-secret-value

3. Enable in Config

In src/appConfig.ts set:

microsoft: { enabled: true },

4. Test

1. Run pnpm dev
2. Navigate to /auth/sign-in
3. A Sign in with Microsoft button will appear

Production Checklist

• Add your production redirect URI in Authentication → Redirect URIs
• Set a calendar reminder before your client secret expires (max 24 months)
• If restricting to your organisation, update tenantId in src/features/auth/index.ts to your Directory (tenant) ID

Troubleshooting

• AADSTS50011 — redirect URI mismatch — the URI in Azure must exactly match /api/auth/callback/microsoft
• No email returned — Entra ID does not emit the email claim for managed users by default. Add it as an optional claim in the app manifest
• No Microsoft button — check MICROSOFT_CLIENT_ID and MICROSOFT_CLIENT_SECRET are set and microsoft.enabled is true