This guide shows how to configure Coder to authenticate users with Microsoft Entra ID using OpenID Connect (OIDC)

- A Microsoft Azure Entra ID Tenant

- Permission to create Applications in your Azure environment

1. Open Microsoft Azure Portal (https://portal.azure.com) → Microsoft Entra ID → App Registrations → New Registration

2. Name: Name your application appropriately

3. Supported Account Types: Choose the appropriate radio button according to your needs. Most organizations will want to use the first one labeled "Accounts in this organizational directory only"

4. Click on "Register"

5. On the next screen, select: "Certificates and Secrets"

6. Click on "New Client Secret" and under description, enter an appropriate description. Then set an expiry and hit "Add" once it's created, copy the value and save it somewhere secure for the next step

7. Next, click on the tab labeled "Token Configuration", then click "Add optional claim" and select the "ID" radio button, and finally check "upn" and hit "add" at the bottom

8. Then, click on the button labeled "Add groups claim" and check "Security groups" and click "Save" at the bottom

9. Now, click on the tab labeled "Authentication" and click on "Add a platform", select "Web" and for the redirect URI enter your Coder callback URL, and then hit "Configure" at the bottom:

Set the following environment variables on your Coder deployment and restart Coder:

After changing settings, users must log out and back in once to obtain refresh tokens

Learn more in[Configure OIDC refresh tokens](./refresh-tokens.md).

- "invalid redirect_uri": ensure the redirect URI in Azure Entra ID matches`https://<your-coder-host>/api/v2/users/oidc/callback`

- Domain restriction: if users from unexpected domains can log in, verify`CODER_OIDC_EMAIL_DOMAIN`

- Claims: to inspect claims returned by Microsoft, see guidance in the[OIDC overview](./index.md#oidc-claims)

-[OIDC overview](./index.md)

-[Configure OIDC refresh tokens](./refresh-tokens.md)

"description":"Configure Google as an OIDC provider",

"path":"./admin/users/oidc-auth/google.md"

},

{

"title":"Microsoft",

"description":"Configure Microsoft Entra ID as an OIDC provider",

"path":"./admin/users/oidc-auth/microsoft.md"

},

{

"title":"Configure OIDC refresh tokens",

"description":"How to configure OIDC refresh tokens",

You may want to change the default domain that's used to access coder, i.e.`yourcompany.coder.com` and find yourself unfamiliar with the process.

To change the access URL associated with your server, you can edit any of the following variables:

- CLI using the`--access-url` flag

- YAML using the`accessURL` option

- or ENV using the`CODER_ACCESS_URL` environmental variable.

For example,if you're using an environment file to configure your server, you'll want to edit the file located at`/etc/coder.d/coder.env` and edit the following:

`CODER_ACCESS_URL=https://yourcompany.coder.com` to your new desired URL.

Then save your changes, and reload daemon-ctl using the following command:

and restart the service using:

After coder restarts, your changes should be applied and should reflectin the admin settings.