Elgato_dark/lobehub
1
0
Fork 0
mirror of https://github.com/lobehub/lobehub synced 2026-04-21 09:37:28 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 70
lobehub/docs/self-hosting/auth/providers/microsoft.mdx
Arvin Xu adbf11dc11
📝 docs: update documents (#12982) 
update document
2026-03-14 22:06:09 +08:00

111 lines
4 KiB
Text
Raw Blame History

---
title: Configuring Microsoft Authentication for LobeHub
description: >-
Learn how to configure Microsoft (Entra ID / Azure AD) SSO for LobeHub,
including creating applications in Azure Portal and setting up environment
variables.
tags:
- Microsoft
- Authentication
- Azure AD
- LobeHub
- Single Sign-On
---
# Configuring Microsoft Authentication
<Steps>
### Create a Microsoft Entra ID Application
1. Go to [Microsoft Entra Admin Center](https://entra.microsoft.com/)
2. Navigate to **Identity** > **Applications** > **App registrations** > **New registration**
3. Fill in the application name
4. Choose supported account types:
- **Single tenant**: Only users in your organization
- **Multitenant**: Users in any Azure AD organization
- **Multitenant + personal**: Also includes personal Microsoft accounts
<Image alt="App Register" inStep src="https://github.com/lobehub/lobehub/assets/13883964/4f9d83bd-b3fc-4abc-bcf4-ccbad65c219d" />
### Configure Redirect URI
In the **Redirect URI** section:
1. Select **Web** as the platform
2. Enter the callback URL
<Callout type={'info'}>
Callback URL format:
- Local development: `http://localhost:3210/api/auth/callback/microsoft`
- Production: `https://your-domain.com/api/auth/callback/microsoft`
</Callout>
Click **Register**.
### Get Application Credentials
After creation, view the **Overview** tab:
<Image alt="App Overview" inStep src="https://github.com/lobehub/lobehub/assets/13883964/48a0b702-05bd-4ce4-a007-a8ad00a36e5a" />
Note down:
- **Application (client) ID** - This is your `AUTH_MICROSOFT_ID`
- **Directory (tenant) ID** - Needed for single-tenant apps
### Create Client Secret
1. Go to **Certificates & secrets** > **Client secrets**
2. Click **New client secret**
3. Fill in description and select expiration time
4. Click **Add**
<Image alt="Create App Client Secret" inStep src="https://github.com/lobehub/lobehub/assets/13883964/c9d66fa0-158c-4bd3-a1fa-969e638259d2" />
<Callout type={'warning'}>
Copy the client secret **Value** immediately - you won't be able to see it
again.
</Callout>
### Configure Environment Variables
| Environment Variable | Type | Description |
| ------------------------------ | -------- | --------------------------------------------------------------- |
| `AUTH_SECRET` | Required | Session encryption key, generate with `openssl rand -base64 32` |
| `AUTH_SSO_PROVIDERS` | Required | Set to `microsoft` |
| `AUTH_MICROSOFT_ID` | Required | Application (client) ID |
| `AUTH_MICROSOFT_SECRET` | Required | Client secret value |
| `AUTH_MICROSOFT_AUTHORITY_URL` | Optional | Authority URL for Microsoft Entra ID |
| `AUTH_MICROSOFT_TENANT_ID` | Optional | Directory (tenant) ID for single-tenant apps |
<Callout type={'info'}>
**Alternative Environment Variables**: For backward compatibility, these
aliases are also supported:
- `AUTH_MICROSOFT_ENTRA_ID_ID` / `AUTH_MICROSOFT_ENTRA_ID_SECRET`
- `AUTH_AZURE_AD_ID` / `AUTH_AZURE_AD_SECRET`
- `AZURE_AD_CLIENT_ID` / `AZURE_AD_CLIENT_SECRET`
</Callout>
<Callout type={'tip'}>
Go to [📘 Environment Variables](/docs/self-hosting/environment-variables/auth#microsoft)
for detailed information.
</Callout>
</Steps>
<Callout type={'info'}>
After successful deployment, users will be able to authenticate with Microsoft
and use LobeHub.
</Callout>
## Common Issues
### Client Secret Expiration
Microsoft client secrets have a maximum validity of 24 months. Remember to rotate secrets before they expire.
## Related Resources
- [Microsoft Entra Admin Center](https://entra.microsoft.com/)
- [Quickstart: Register an application](https://learn.microsoft.com/en-us/entra/identity-platform/quickstart-register-app)
Reference in a new issue View git blame Copy permalink