Microsoft
Set up Microsoft as a social login provider in SecureAuth Connect so users can sign in with their Microsoft account.
Register Microsoft as a provider
-
In your workspace, go to Authentication > Providers.
-
Click Create Connection.
-
Filter by Social Providers and select Microsoft.
-
Choose a registration mode:
Mode Description Embedded Uses a client application registered by SecureAuth. No developer portal registration required. Bring your Own Uses a client application registered by your organization. Requires registering an application in the Microsoft Entra admin center to obtain an Application (Client) ID and Client Secret. 
Configuration
| Setting | Description |
|---|---|
| Name | Display name for this provider. Default: Microsoft. |
| Display order | Controls the position of this provider on the sign-in page. Default: 0. |
Use Try Sign-in to test the Microsoft sign-in flow. Use Delete Identity to remove this provider.
Attributes
Microsoft returns the following attributes after authentication:
| Connector name | Friendly name | Data type | Scope |
|---|---|---|---|
name | Name | String | ID token |
email | String | ID token | |
preferred_username | Preferred username | String | ID token |
givenName | Given name | String | User Info |
surname | Surname | String | User Info |
userPrincipalName | User principal name | String | User Info |
displayName | Display name | String | User Info |
preferred_language | Preferred language | String | User Info |
mobilePhone | Mobile phone | String | User Info |
jobTitle | Job title | String | User Info |
Microsoft returns attributes from both ID token and User Info scopes. It provides the richest set of business-context attributes among social providers, including jobTitle, mobilePhone, preferred_language, and userPrincipalName.
To add custom attributes, click + Add attribute.
Mappings
Default attribute mappings from Microsoft to the SecureAuth authentication context:
| Source | Microsoft source name | SecureAuth target name |
|---|---|---|
| ID token | Name | Name |
| ID token | ||
| ID token | Preferred username | The primary username that represents the user |
| User Info | Given name | Given name |
| User Info | Surname | Family name |
| User Info | Mobile phone | Phone |
To customize, click + Add mapping or + Add static mapping.
Provisioning
Provisioning controls what happens when a user authenticates through Microsoft.
Disabled
Users are not persisted in the user store. Authentication succeeds but no user record is created.
Just-in-Time Provisioning
Users are persisted in the user store on first login.
Identifier Correlation
Maps the incoming Microsoft identity to an existing user. Default: Microsoft Email ↔ Users Email.
Attribute Provisioning
Maps Microsoft attributes to user profile fields. Defaults:
Email→EmailGiven name→First nameFamily name→Last name
Pre provisioning mode
Users must already exist in the user store before they can authenticate. New users are not auto-created at login; they must be added via an offline process.
Authentication flow control
Select what happens when no matching user is found:
- Deny – Terminate the authentication flow.
- Allow – Proceed with the authentication flow.
Identifier Correlation
Maps the incoming Microsoft identity to an existing user. Default: Microsoft Email ↔ Users Email.
Attribute Provisioning
Maps Microsoft attributes to user profile fields. Defaults:
Email→EmailGiven name→First nameFamily name→Last name
Extensions
| Extension | Description |
|---|---|
| Post Authentication script | A server-side script that runs after Microsoft authentication completes. Click Manage Script to configure. |
| Post Authentication application | A custom application that receives a callback after Microsoft authentication completes. Click Manage Custom App to configure. |