This guide shows how to configure Coder to authenticate users with Microsoft Entra ID using OpenID Connect (OIDC).

- A Microsoft Azure Entra ID Tenant

- Permission to create Applications in your Azure environment

1. Open Microsoft Azure Portal (https://portal.azure.com) → Microsoft Entra ID → App Registrations → New Registration.

2. Name: Name your application appropriately

3. Supported Account Types: Choose the appropriate radio button according to your needs. Most organizaitons will want to use the first one labeled "Accounts in this organizational directory only"

4. Click on "Register"

5. On the next screen, select: "Certificates and Secrets"

6. Click on "New Client Secret" and under description, enter an appropriate description. Then set an expiry and hit "Add" once it's created, copy the value and save it somewhere secure for the next step.

7. Next, click on the tab labeled "Token Configuration", then click "Add optional claim" and select the "ID" radio button, and finally check "upn" and hit "add" at the bottom.

8. Then, click on the button labeled "Add groups claim" and check "Security groups" and click "Save" at the bottom.

9. Now, click on the tab labeled "Authentication" and click on "Add a platform", select "Web" and for the redirect URI enter your Coder callback URL, and then hit "Configure" at the bottom:

Set the following environment variables on your Coder deployment and restart Coder:

After changing settings, users must log out and back in once to obtain refresh tokens.

Learn more in[Configure OIDC refresh tokens](./refresh-tokens.md).

- "invalid redirect_uri": ensure the redirect URI in Azure Entra ID matches`https://<your-coder-host>/api/v2/users/oidc/callback`.

- Domain restriction: if users from unexpected domains can log in, verify`CODER_OIDC_EMAIL_DOMAIN`.

- Claims: to inspect claims returned by Google, see guidance in the[OIDC overview](./index.md#oidc-claims).

-[OIDC overview](./index.md)

-[Configure OIDC refresh tokens](./refresh-tokens.md)