Azure AD (OAuth) with Squidex
The steps in this article show how to use Azure AD (OAuth) as the Identity Provider for Squidex
Azure AD is a fully-managed Cloud-based identity service from Microsoft providing SSO, MFA and conditional access, amongst many other features.
Azure AD provides lots of authentication mechanisms such as OAuth, OIDC and Graph etc. This article uses the plain OAuth method. It shows you how to use Azure AD as an identity provider with a self-hosted Squidex installation. Azure AD provides authentication and authorization to users in the Azure AD tenant for your App.
A basic understanding of Azure AD is highly recommended as the article does not explain what Azure AD is and how it works. Microsoft Learn has excellent documentation for this.
These prerequisites should be in place to successfully follow this article:
- An Azure Active Directory tenant (FREE tier will work).
- It is assumed that the Azure AD has a domain associated with it, e.g. example.com.
An Azure subscription is NOT required for this setup
During this step, you will register an application with Azure AD and gather a few details that will be required to configure Squidex.
- 1.
- 2.In the top search box, type Active Directory (1) and select Azure Active Directory (2) from the list.Navigate to Azure Active Directory
- 3.On the Azure AD page, select App registrations (3) from the left blade and then click + New registration (4).Start registration of a new app
- 4.On the Register an application screen enter a Name (5) for the App, select Accounts in this organizational directory only (6). Under the Redirect URI (optional) section, set the following values:
- 1.Choose Web (7) from the drop down
- 2.Then enter your Squidex domain URL followed by
/signin-microsoft
. The URI must have/signin-microsoft
else it will fail.
Click Register (8) when done.Register an app - 5.In the Azure AD app details page, copy the Application (client) ID (9) and Directory (tenant) ID (10) values as they will be needed later.Note down App ID and Tenant ID
- 6.Select Certificates & Secrets (11) from the left, next click + New client secret (12). Give a Description (13) for the secret and click Add (14).Generate client secret
- 7.Copy the secret Value (15) shown in this step.Note down client secret value
- 8.Finally click on Authentication (16), check ID tokens (17) and click Save (18).Enable ID token
In the next set of steps you will configure Squidex to use Azure AD. Depending on how Squidex is installed / running the steps to add these values will be different and unfortunately we cannot cover everything but in a nutshell, you want the following variables configured with the values collected earlier.
When the values are
null
, Microsoft authentication is disabled.Variable | Description |
---|---|
IDENTITY__MICROSOFTCLIENT | Application (client) ID |
IDENTITY__MICROSOFTSECRET | Client Secret Value |
IDENTITY__MICROSOFTTENANT | Directory (tenant) ID |
For example, if using Kubernetes Helm charts, these variables should be updated with the values in the
values.yaml
file.
Sample helm values.yaml configuration for enabling Microsoft authentication
Similarly, if Squidex is running on an Azure App Service, they are added to the Configuration of the app service. An example is provided below.

Sample app service configuration for enabling Microsoft authentication
When running it using Docker Compose (or Docker) they are updated in a
.env
file that is used by the docker-compose.yml
file or you can update the values directly in the docker-compose.yml
file itself (not recommended). The rest of the steps here refer to a Docker based containerized installation that uses the code/resources provided at https://github.com/Squidex/squidex-hosting/tree/master/docker-compose and uses a
.env
file.- 1.In the
.env
file set the values. Note that these variables are only used in the context of Docker, they are referenced by the actual variables in thedocker-compose.yml
file. A sample screenshot is provided below.Sample docker environment values for enabling Microsoft authentication - 2.Next update the Squidex container by recreating it. Run the following command to do so:
docker-compose up -d --force-recreate squidex_squidex squidex_squidex
is the default name of the container if you are running thedocker-compose.yml
file provided by us.
- 1.Reload the Squidex page and click Login to Squidex.
- 2.You should see a Login with Microsoft button. In the Signup section, you can also Signup with Microsoft.Signin with MicrosoftSignup with Microsoft
- 3.On the next screen, enter a username and password from the Azure AD tenant.
- 4.When prompted for permissions, click Accept.Accept permissions
- 5.You should be now be able to Signup or Login with a Microsoft account from the configured Azure AD tenant using OAuth.
Last modified 5mo ago