When talking about signing in with a third-party account, it is very common to see applications integrate with a Gmail or Facebook account. There are quite a good amount of resources on the subject, however, when it comes to signing in with Microsoft account, it is a bit less. I’ve decided to write this article after spending some hours figuring it out. I hope this will save you a few hours of setting up an application in Azure to get credentials to be used in the sign-in process.
Go to https://portal.azure.com/ and signup for an account if you don’t have one. I simply used my GitHub account to signup. After signing in, you should see the Azure portal below
Now we are going to register an app and get credentials.
Applicaiton registration
In the Search box enter “App registrations”
Now Register an app, Go to “New registration”
On the New Registration page, fill in the form as shown below
And then wait a bit for Azure to create the application for you. Once it is done, you should see something like this:
You need to copy the value of the below the Application (client) ID let’s call this CLIENT_ID. Now we need to create a client secret. Click the “Add a certificate or secret” link as shown above to create the client secret.
On the “Certificates & secrets” page, click on “New client secret” to create a new secret.
Enter a description and select one of the default Expires fields. I choose Expires to be 24 months.
And then let’s copy the value in the Value column. This value is our CLIENT_SECRET.
Now we have the credentials we need. Before we touch the code, let’s complete other details
Enter Application details
In the Branding & Properties on the left navigation
Enter the details and then click on “Configure domain”
Enter your domain in the “Publisher domain” input and then copy the “microsoft-identity-association.json” and put in under your project_root/.wellknown/microsoft-identity-association.json.
Run your application to double-check the response
If everything is ok, let’s verify the domain ownership by clicking on “Verify and save domain”
API permission
On the left navigation menu, Select API permission. I have User.Read permission to get a public profile. If needed you can add more permission
module Users
class OmniauthCallbacksController < Devise::OmniauthCallbacksController
include UserSessionHelper
before_action :handle_oauth2, only: %i[microsoft_office365]
# GET|POST: /users/auth/microsoft_office365/callback
def microsoft_office365
end
private
def handle_oauth2
auth_context = OauthAuthenticator.call(omniauth_auth: request.env['omniauth.auth'])
if auth_context.success?
# sign_out_all_scopes will destroy the session,
# thus we need to restore session[:user_return_to] for redirection
provider_name = auth_context.provider_name
flash[:notice] = t('devise.omniauth_callbacks.success', kind: I18n.t("oauth2_provider.#{provider_name}"))
user = auth_context.provider.user
process_sign_in_and_redirect(user)
else
flash[:alert] = auth_context.message
redirect_to new_user_session_path
end
end
endand in the config/initializer/devise.rb
Devise.setup do |config|
...
config.omniauth :microsoft_office365, ENV['OFFICE365_OAUTH2_CLIENT_ID'], ENV['OFFICE365_OAUTH2_CLIENT_SECRET']
end