2021-01-29 00:20:46 +05:30
---
2022-07-16 23:28:13 +05:30
stage: Manage
group: Authentication and Authorization
2022-11-25 23:54:43 +05:30
info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/product/ux/technical-writing/#assignments
2021-01-29 00:20:46 +05:30
---
2022-05-07 20:08:51 +05:30
# Use Microsoft Azure as an authentication provider **(FREE SELF)**
2016-01-14 18:37:52 +05:30
2022-05-07 20:08:51 +05:30
You can enable the Microsoft Azure OAuth 2.0 OmniAuth provider and sign in to
GitLab with your Microsoft Azure credentials. You can configure the provider that uses
2022-11-25 23:54:43 +05:30
[the earlier Azure Active Directory v1.0 endpoint ](https://learn.microsoft.com/en-us/azure/active-directory/azuread-dev/v1-protocols-oauth-code ),
2022-05-07 20:08:51 +05:30
or the provider that uses the v2.0 endpoint.
2016-01-14 18:37:52 +05:30
2022-05-07 20:08:51 +05:30
NOTE:
For new projects, Microsoft suggests you use the
2022-11-25 23:54:43 +05:30
[OpenID Connect protocol ](../administration/auth/oidc.md#configure-microsoft-azure ),
2022-05-07 20:08:51 +05:30
which uses the Microsoft identity platform (v2.0) endpoint.
2021-04-17 20:07:23 +05:30
2023-07-09 08:55:56 +05:30
## Migrate to the OpenID Connect protocol
To migrate to the OpenID Connect protocol, see [configure multiple OpenID Connect providers ](../administration/auth/oidc.md#configure-multiple-openid-connect-providers ).
You must set the `uid_field` , which differs across the providers:
| Provider | `uid` | Remarks |
|-----------------------------------------------------------------------------------------------------------------|-------|-----------------------------------------------------------------------|
| [`omniauth-azure-oauth2` ](https://gitlab.com/gitlab-org/gitlab/-/tree/master/vendor/gems/omniauth-azure-oauth2 ) | `sub` | Additional attributes `oid` , `tid` are offered within the info object |
| [`omniauth-azure-activedirectory-v2` ](https://github.com/RIPAGlobal/omniauth-azure-activedirectory-v2/ ) | `oid` | You must configure `oid` as `uid_field` when migrating |
| [`omniauth_openid_connect` ](https://github.com/omniauth/omniauth_openid_connect/ ) | `sub` | Specify `uid_field` to use another field |
To migrate from `omniauth-azure-oauth2` to `omniauth_openid_connect` you
must change the configuration:
- **For Omnibus installations**
```diff
gitlab_rails['omniauth_providers'] = [
{
name: "azure_oauth2",
# label: "Provider name", # optional label for login button, defaults to "Azure AD"
args: {
+ name: "azure_oauth2",
+ strategy_class: "OmniAuth::Strategies::OpenIDConnect",
+ scope: ["openid", "profile", "email"],
+ response_type: "code",
+ issuer: "https://login.microsoftonline.com/< tenant_id > /v2.0",
+ client_auth_method: "query",
+ discovery: true,
+ uid_field: "sub",
+ client_options: {
+ identifier: "< client_id > ",
+ secret: "< client_secret > ",
+ redirect_uri: "https://gitlab.example.com/users/auth/azure_oauth2/callback"
+ }
- client_id: "< client_id > ",
- client_secret: "< client_secret > ",
- tenant_id: "< tenant_id > ",
}
}
]
```
- **For installations from source**
```diff
- { name: 'azure_oauth2',
# label: 'Provider name', # optional label for login button, defaults to "Azure AD"
- args: { client_id: '< client_id > ',
- client_secret: '< client_secret > ',
- tenant_id: '< tenant_id > ' } }
+ icon: "< custom_provider_icon > ",
+ args: {
+ name: "azure_oauth2",
+ strategy_class: "OmniAuth::Strategies::OpenIDConnect",
+ scope: ["openid","profile","email"],
+ response_type: "code",
+ issuer: 'https://login.microsoftonline.com/< tenant_id > /v2.0',
+ discovery: true,
+ client_auth_method: 'query',
+ uid_field: 'sub',
+ send_scope_to_token_endpoint: "false",
+ client_options: {
+ identifier: "< client_id > ",
+ secret: "< client_secret > ",
+ redirect_uri: "< your_gitlab_url > /users/auth/azure_oauth2/callback"
+ }
+ }
}
```
To migrate for example from `omniauth-azure-activedirectory-v2` to `omniauth_openid_connect` you
must change the configuration:
- **For Omnibus installations**
```diff
gitlab_rails['omniauth_providers'] = [
{
- name: "azure_activedirectory_v2",
# label: "Provider name", # optional label for login button, defaults to "Azure AD v2"
args: {
+ name: "azure_activedirectory_v2",
+ strategy_class: "OmniAuth::Strategies::OpenIDConnect",
+ scope: ["openid", "profile", "email"],
+ response_type: "code",
+ issuer: "https://login.microsoftonline.com/< tenant_id > /v2.0",
+ client_auth_method: "query",
+ discovery: true,
+ uid_field: "oid",
+ client_options: {
+ identifier: "< client_id > ",
+ secret: "< client_secret > ",
+ redirect_uri: "https://gitlab.example.com/users/auth/azure_activedirectory_v2/callback"
+ }
- client_id: "< client_id > ",
- client_secret: "< client_secret > ",
- tenant_id: "< tenant_id > ",
}
}
]
```
- **For installations from source**
```diff
- { name: 'azure_activedirectory_v2',
# label: 'Provider name', # optional label for login button, defaults to "Azure AD v2"
- args: { client_id: '< client_id > ',
- client_secret: '< client_secret > ',
- tenant_id: '< tenant_id > ' } }
+ icon: "< custom_provider_icon > ",
+ args: {
+ name: "azure_activedirectory_v2",
+ strategy_class: "OmniAuth::Strategies::OpenIDConnect",
+ scope: ["openid","profile","email"],
+ response_type: "code",
+ issuer: 'https://login.microsoftonline.com/< tenant_id > /v2.0',
+ discovery: true,
+ client_auth_method: 'query',
+ uid_field: 'oid',
+ send_scope_to_token_endpoint: "false",
+ client_options: {
+ identifier: "< client_id > ",
+ secret: "< client_secret > ",
+ redirect_uri: "< your_gitlab_url > /users/auth/azure_activedirectory_v2/callback"
+ }
+ }
}
```
For more information on other customizations, see [`gitlab_username_claim` ](index.md#authentication-sources ).
2022-05-07 20:08:51 +05:30
## Register an Azure application
2021-04-17 20:07:23 +05:30
2021-11-11 11:23:49 +05:30
To enable the Microsoft Azure OAuth 2.0 OmniAuth provider, you must register
2022-05-07 20:08:51 +05:30
an Azure application and get a client ID and secret key.
2021-04-17 20:07:23 +05:30
2022-05-07 20:08:51 +05:30
1. Sign in to the [Azure portal ](https://portal.azure.com ).
2022-11-25 23:54:43 +05:30
1. If you have multiple Azure Active Directory tenants, switch to the desired tenant. Note the tenant ID.
1. [Register an application ](https://learn.microsoft.com/en-us/azure/active-directory/develop/quickstart-register-app )
2022-05-07 20:08:51 +05:30
and provide the following information:
- The redirect URI, which requires the URL of the Azure OAuth callback of your GitLab
installation. For example:
- For the v1.0 endpoint: `https://gitlab.example.com/users/auth/azure_oauth2/callback` .
- For the v2.0 endpoint: `https://gitlab.example.com/users/auth/azure_activedirectory_v2/callback` .
- The application type, which must be set to **Web** .
1. Save the client ID and client secret. The client secret is only
displayed once.
2021-04-17 20:07:23 +05:30
2022-11-25 23:54:43 +05:30
If required, you can [create a new application secret ](https://learn.microsoft.com/en-us/azure/active-directory/develop/howto-create-service-principal-portal#option-2-create-a-new-application-secret ).
2021-04-17 20:07:23 +05:30
2022-05-07 20:08:51 +05:30
`client ID` and `client secret` are terms associated with OAuth 2.0.
In some Microsoft documentation, the terms are named `Application ID` and
`Application Secret` .
2021-04-17 20:07:23 +05:30
2022-05-07 20:08:51 +05:30
## Add API permissions (scopes)
2021-04-17 20:07:23 +05:30
2022-11-25 23:54:43 +05:30
If you're using the v2.0 endpoint, after you create the application, [configure it to expose a web API ](https://learn.microsoft.com/en-us/azure/active-directory/develop/quickstart-configure-app-expose-web-apis ).
2022-05-07 20:08:51 +05:30
Add the following delegated permissions under the Microsoft Graph API:
2021-04-17 20:07:23 +05:30
- `email`
- `openid`
- `profile`
2021-12-11 22:18:48 +05:30
Alternatively, add the `User.Read.All` application permission.
2022-05-07 20:08:51 +05:30
## Enable Microsoft OAuth in GitLab
2021-04-17 20:07:23 +05:30
1. On your GitLab server, open the configuration file.
2022-05-07 20:08:51 +05:30
- **For Omnibus installations**
```shell
sudo editor /etc/gitlab/gitlab.rb
```
2021-04-17 20:07:23 +05:30
2022-05-07 20:08:51 +05:30
- **For installations from source**
2021-04-17 20:07:23 +05:30
2022-05-07 20:08:51 +05:30
```shell
cd /home/git/gitlab
2021-04-17 20:07:23 +05:30
2022-05-07 20:08:51 +05:30
sudo -u git -H editor config/gitlab.yml
```
2021-04-17 20:07:23 +05:30
2023-06-20 00:43:36 +05:30
1. Configure the [common settings ](omniauth.md#configure-common-settings )
2023-04-23 21:23:45 +05:30
to add `azure_oauth2` as a single sign-on provider. This enables Just-In-Time
account provisioning for users who do not have an existing GitLab account.
2021-04-17 20:07:23 +05:30
2022-11-25 23:54:43 +05:30
1. Add the provider configuration. Replace `<client_id>` , `<client_secret>` , and `<tenant_id>`
2022-05-07 20:08:51 +05:30
with the values you got when you registered the Azure application.
2021-04-17 20:07:23 +05:30
2022-05-07 20:08:51 +05:30
- **For Omnibus installations**
2021-04-17 20:07:23 +05:30
2022-05-07 20:08:51 +05:30
For the v1.0 endpoint:
2021-04-17 20:07:23 +05:30
2022-05-07 20:08:51 +05:30
```ruby
gitlab_rails['omniauth_providers'] = [
{
name: "azure_oauth2",
# label: "Provider name", # optional label for login button, defaults to "Azure AD"
args: {
2022-11-25 23:54:43 +05:30
client_id: "< client_id > ",
client_secret: "< client_secret > ",
tenant_id: "< tenant_id > ",
2022-05-07 20:08:51 +05:30
}
2021-04-17 20:07:23 +05:30
}
2022-05-07 20:08:51 +05:30
]
```
For the v2.0 endpoint:
```ruby
gitlab_rails['omniauth_providers'] = [
{
"name" => "azure_activedirectory_v2",
"label" => "Provider name", # optional label for login button, defaults to "Azure AD v2"
"args" => {
2022-11-25 23:54:43 +05:30
"client_id" => "< client_id > ",
"client_secret" => "< client_secret > ",
"tenant_id" => "< tenant_id > ",
2022-05-07 20:08:51 +05:30
}
}
]
```
2022-11-25 23:54:43 +05:30
For [alternative Azure clouds ](https://learn.microsoft.com/en-us/azure/active-directory/develop/authentication-national-cloud ),
2022-08-27 11:52:29 +05:30
configure `base_azure_url` under the `args` section. For example, for Azure Government Community Cloud (GCC):
```ruby
gitlab_rails['omniauth_providers'] = [
{
"name" => "azure_activedirectory_v2",
"label" => "Provider name", # optional label for login button, defaults to "Azure AD v2"
"args" => {
2022-11-25 23:54:43 +05:30
"client_id" => "< client_id > ",
"client_secret" => "< client_secret > ",
"tenant_id" => "< tenant_id > ",
2022-08-27 11:52:29 +05:30
"base_azure_url" => "https://login.microsoftonline.us"
}
}
]
```
2022-05-07 20:08:51 +05:30
- **For installations from source**
2021-04-17 20:07:23 +05:30
2022-05-07 20:08:51 +05:30
For the v1.0 endpoint:
2021-04-17 20:07:23 +05:30
2022-05-07 20:08:51 +05:30
```yaml
- { name: 'azure_oauth2',
# label: 'Provider name', # optional label for login button, defaults to "Azure AD"
2022-11-25 23:54:43 +05:30
args: { client_id: '< client_id > ',
client_secret: '< client_secret > ',
tenant_id: '< tenant_id > ' } }
2022-05-07 20:08:51 +05:30
```
2021-04-17 20:07:23 +05:30
2022-05-07 20:08:51 +05:30
For the v2.0 endpoint:
```yaml
- { name: 'azure_activedirectory_v2',
label: 'Provider name', # optional label for login button, defaults to "Azure AD v2"
2022-11-25 23:54:43 +05:30
args: { client_id: "< client_id > ",
client_secret: "< client_secret > ",
tenant_id: "< tenant_id > " } }
2022-08-27 11:52:29 +05:30
```
2022-11-25 23:54:43 +05:30
For [alternative Azure clouds ](https://learn.microsoft.com/en-us/azure/active-directory/develop/authentication-national-cloud ),
2022-08-27 11:52:29 +05:30
configure `base_azure_url` under the `args` section. For example, for Azure Government Community Cloud (GCC):
```yaml
- { name: 'azure_activedirectory_v2',
label: 'Provider name', # optional label for login button, defaults to "Azure AD v2"
2022-11-25 23:54:43 +05:30
args: { client_id: "< client_id > ",
client_secret: "< client_secret > ",
tenant_id: "< tenant_id > ",
2022-08-27 11:52:29 +05:30
base_azure_url: "https://login.microsoftonline.us" } }
2022-05-07 20:08:51 +05:30
```
2021-04-17 20:07:23 +05:30
2022-11-25 23:54:43 +05:30
You can also optionally add the `scope` for [OAuth 2.0 scopes ](https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-auth-code-flow ) parameter to the `args` section. The default is `openid profile email` .
2021-04-17 20:07:23 +05:30
1. Save the configuration file.
2022-05-07 20:08:51 +05:30
1. [Reconfigure GitLab ](../administration/restart_gitlab.md#omnibus-gitlab-reconfigure )
if you installed using Omnibus, or [restart GitLab ](../administration/restart_gitlab.md#installations-from-source )
if you installed from source.
2021-04-17 20:07:23 +05:30
2022-05-07 20:08:51 +05:30
1. Refresh the GitLab sign-in page. A Microsoft icon should display below the
sign-in form.
2021-04-17 20:07:23 +05:30
2022-05-07 20:08:51 +05:30
1. Select the icon. Sign in to Microsoft and authorize the GitLab application.
2021-04-17 20:07:23 +05:30
2022-05-07 20:08:51 +05:30
Read [Enable OmniAuth for an existing user ](omniauth.md#enable-omniauth-for-an-existing-user )
for information on how existing GitLab users can connect to their new Azure AD accounts.