Microsoft Azure Active Directory¶
To enable OAuth2 support:
Fill in
Client IDandClient Secretsettings. These values can be obtained easily as described in Azure AD Application Registration doc:SOCIAL_AUTH_AZUREAD_OAUTH2_KEY = '' SOCIAL_AUTH_AZUREAD_OAUTH2_SECRET = ''
Also it’s possible to define extra permissions with:
SOCIAL_AUTH_AZUREAD_OAUTH2_RESOURCE = ''
This is the resource you would like to access after authentication succeeds. Some of the possible values are:
https://graph.windows.netorhttps://<your Sharepoint site name>-my.sharepoint.com.When using Microsoft Graph, the resource needed is:
SOCIAL_AUTH_AZUREAD_OAUTH2_RESOURCE = 'https://graph.microsoft.com/'
Add the backend to the authentication backends setting:
AUTHENTICATION_BACKENDS = ( ... 'social_core.backends.azuread.AzureADOAuth2', ... )
If you are using an authority host other than the default
AZURE_PUBLIC_CLOUD('login.microsoftonline.com') then you can override the default with theAUTHORITY_HOSTsetting. A list of Azure authority hosts can be found in the Azure Authority Hosts doc:SOCIAL_AUTH_AZUREAD_OAUTH2_AUTHORITY_HOST = ''
- Federated identity credentials (client assertions) are supported when you do not want to use a client secret. After
adding a federated credential to your Entra ID app, point the backend at the OIDC token that your workload issues (for example, Kubernetes service account tokens, GitHub Actions OIDC tokens, or Azure Workload Identity). The backend will automatically use a client assertion instead of
CLIENT_SECRETwhen the secret is omitted:# Default path exported by Azure Workload Identity and GitHub Actions AZURE_FEDERATED_TOKEN_FILE=/var/run/secrets/azure/tokens/azure-identity-token # Or configure explicitly via the backend setting SOCIAL_AUTH_AZUREAD_OAUTH2_FEDERATED_TOKEN_FILE = '/path/to/oidc/token'
You can also provide a pre-built client assertion JWT:
SOCIAL_AUTH_AZUREAD_OAUTH2_CLIENT_ASSERTION = 'eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9...' SOCIAL_AUTH_AZUREAD_OAUTH2_CLIENT_ASSERTION_TYPE = 'urn:ietf:params:oauth:client-assertion-type:jwt-bearer'
Kubernetes projected service account token volume example:
apiVersion: v1 kind: Pod metadata: name: mypod spec: serviceAccountName: myserviceaccount containers: - name: mycontainer image: myimage volumeMounts: - name: azure-identity-token mountPath: /var/run/secrets/azure/tokens readOnly: true volumes: - name: azure-identity-token projected: sources: - serviceAccountToken: path: azure-identity-token audience: api://AzureADTokenExchange expirationSeconds: 3600
These settings apply to all Azure AD/Entra ID variants in this doc (common, tenant-specific, v2, and B2C). For more information on workload identity, see Workload Identity Federation and Federated identity credentials (Workload Identity) docs.
Tenant Support¶
If the app is linked to a specific tenant (vs the common tenant) it’s possible to use a version of the backend with tenant support.
Note: The backends are split because of the needed cryptography dependencies which must be installed manually.
To enable OAuth2 Tenant support:
Fill in
Client IDandClient Secretsettings. These values can be obtained easily as described in Azure AD Application Registration doc:SOCIAL_AUTH_AZUREAD_TENANT_OAUTH2_KEY = '' SOCIAL_AUTH_AZUREAD_TENANT_OAUTH2_SECRET = ''
Fill in the tenant id:
SOCIAL_AUTH_AZUREAD_TENANT_OAUTH2_TENANT_ID = ''
Also it’s possible to define extra permissions with:
SOCIAL_AUTH_AZUREAD_TENANT_OAUTH2_RESOURCE = ''
This is the resource you would like to access after authentication succeeds. Some of the possible values are:
https://graph.windows.netorhttps://<your Sharepoint site name>-my.sharepoint.com.When using Microsoft Graph, the resource needed is:
SOCIAL_AUTH_AZUREAD_TENANT_OAUTH2_RESOURCE = 'https://graph.microsoft.com/'
Add the backend to the authentication backends setting:
AUTHENTICATION_BACKENDS = ( ... 'social_core.backends.azuread_tenant.AzureADTenantOAuth2', ... )
If you are using an authority host other than the default
AZURE_PUBLIC_CLOUD(‘login.microsoftonline.com’) then you can override the default with theAUTHORITY_HOSTsetting. The Azure authority hosts are listed in the Azure Authority Hosts doc:SOCIAL_AUTH_AZUREAD_TENANT_OAUTH2_AUTHORITY_HOST = ''
B2C Tenant¶
If the app needs custom business logic for authentication then use the Azure AD B2C tenant.
To enable OAuth2 B2C Tenant support:
Fill in
Client IDandClient Secretsettings. These values can be obtained easily as described in Azure AD Application Registration doc:SOCIAL_AUTH_AZUREAD_B2C_OAUTH2_KEY = '' SOCIAL_AUTH_AZUREAD_B2C_OAUTH2_SECRET = ''
Fill in the tenant id:
SOCIAL_AUTH_AZUREAD_B2C_OAUTH2_TENANT_NAME = ''
Fill in the B2C policy:
SOCIAL_AUTH_AZUREAD_B2C_OAUTH2_POLICY = ''
The policy should start with b2c_. For more information see Azure AD B2C User flows and custom policies overview doc.
Also it’s possible to define extra permissions with:
SOCIAL_AUTH_AZUREAD_B2C_OAUTH2_RESOURCE = ''
This is the resource you would like to access after authentication succeeds. Some of the possible values are:
https://graph.windows.netorhttps://<your Sharepoint site name>-my.sharepoint.com.When using Microsoft Graph, the resource needed is:
SOCIAL_AUTH_AZUREAD_B2C_OAUTH2_RESOURCE = 'https://graph.microsoft.com/'
Add the backend to the authentication backends setting:
AUTHENTICATION_BACKENDS = ( ... 'social_core.backends.azuread_b2c.AzureADB2COAuth2', ... )
If you are using an authority host other than the default
AZURE_PUBLIC_CLOUD(‘b2clogin.com’) then you can override the default with theAUTHORITY_HOSTsetting.SOCIAL_AUTH_AZUREAD_B2C_OAUTH2_AUTHORITY_HOST = ‘’