Skip to main content

Setting Up Microsoft Azure AD OAuth

Follow these steps to set up Microsoft/Azure AD authentication in your Galeo organization.

Step 1: Go to Azure Portal

Navigate to the Azure Portal and sign in with your Microsoft account.

Step 2: Access Azure Active Directory

  1. Click Azure Active Directory in the left sidebar
  2. Or search for “Azure Active Directory” in the search bar

Step 3: Register a New Application

  1. Go to App registrations in the left menu
  2. Click New registration
  3. Enter a name for your application (e.g., “Galeo”)
  4. Choose the supported account types:
    • Accounts in this organizational directory only (Single tenant) is the recommended choice. Only users from your own Azure tenant can sign in. This is the most secure option and the one Galeo defaults to.
    • Accounts in any organizational directory (Multitenant) only if you intend to let users from other Azure tenants sign in. If you pick this, you must use the "Any Microsoft tenant" mode in Step 7, which requires verified emails.
  5. Click Register

Step 4: Add Redirect URI

  1. In your app registration, go to Authentication in the left menu
  2. Click Add a platformWeb
  3. Enter your Galeo callback URL in the “Redirect URIs” field:
https://www.getgaleo.com/auth/<your-slug>/callback/microsoft
  1. Check Access tokens and ID tokens under “Implicit grant and hybrid flows”
  2. Click Configure

Step 5: Create a Client Secret

  1. Go to Certificates & secrets in the left menu
  2. Click New client secret
  3. Enter a description (e.g., “Galeo Integration”)
  4. Select an expiration period
  5. Click Add
  6. Important: Copy the secret value immediately - you can only see it once!

Step 6: Get Your Credentials

From the Overview page of your app registration, copy:

  • Application (Client) ID - This is your Client ID
  • Directory (Tenant) ID - You need this to build the issuer URL for single-tenant sign-in (see Step 7)

You already have the Client Secret from Step 5.

Step 7: Configure in Galeo

  1. Return to the authentication setup page in Galeo
  2. Select Microsoft as the authentication method
  3. Paste your Client ID and Client Secret
  4. Under Which Microsoft tenants can sign in?, choose how Galeo should trust the accounts Microsoft asserts:
    • Only my Azure tenant (recommended): paste your issuer URL in the form https://login.microsoftonline.com/<your-tenant-id>/v2.0, using the Directory (Tenant) ID from Step 6. Galeo pins sign-in to that one tenant and rejects any ID token issued by a different Azure tenant. A single-tenant provider is treated as trusted, so it can create and link accounts.
    • Any Microsoft tenant (verified emails only): Galeo accepts sign-ins from any Azure tenant but only creates or links an account when Microsoft confirms the user’s email domain is verified. This mode requires the xms_edov optional claim (see Step 8).
  5. Click “Enable Microsoft” to activate Microsoft authentication

Why this matters. Before pinning to a tenant or requiring verified email, a Microsoft app registration on the multi-tenant /common endpoint would accept a token from any Azure tenant. An attacker who controls their own tenant could assert a victim’s email address and have Galeo link or create that account. Both modes above close that path. New Microsoft providers will not create or link accounts until you pick one of them.

Step 8: Add the xms_edov claim (only for "Any Microsoft tenant" mode)

If you chose Any Microsoft tenant (verified emails only), Azure must send the xms_edov ("email domain owner verified") claim so Galeo can tell a verified email from a spoofed one:

  1. In your app registration, go to Token configuration
  2. Click Add optional claim
  3. Select the ID token type
  4. Add the xms_edov claim and save
  5. If prompted, accept the request to turn on the required Microsoft Graph permission

Skip this step entirely if you chose Only my Azure tenant.

Testing

Once enabled, users can now sign in using their Microsoft/Azure AD accounts. Test the integration by attempting to sign in with a Microsoft account.

Advanced Configuration

Restricting to Your Organization Only

Choosing Only my Azure tenant in Step 7 already restricts sign-in to your organization. For defense in depth, also set the supported account types in Azure to match:

  1. In your app registration, go to Authentication
  2. Under “Supported account types”, select Accounts in this organizational directory only
  3. This requires users to have an account in your specific Azure tenant

Trusted vs untrusted providers

Galeo treats the Microsoft provider as trusted when you pin it to your own Azure tenant. A trusted provider may provision a new Galeo account on first sign-in and link a federated login to an existing account by email.

If you later switch the provider to Any Microsoft tenant mode, the verified-email requirement (xms_edov) is what keeps account creation and linking safe across tenants. You can review and change this on the provider’s detail page under Auth Methods. See Authentication overview for the full model.

Adding More Permissions

To request additional user information:

  1. Go to API permissions in the left menu
  2. Click Add a permission
  3. Select Microsoft Graph
  4. Choose the permissions you need (e.g., email, profile, etc.)
  5. Click Add permissions

Troubleshooting

“Invalid redirect_uri”

Make sure the callback URL in Galeo matches exactly what you configured in the Azure portal’s Authentication settings.

“Client ID or secret incorrect”

Double-check that you’ve copied the credentials correctly. Note that client secrets cannot be viewed again after initial creation - you’ll need to create a new one if you lose it.

“AADSTS50058: Silent sign-in request failed”

This may indicate the user needs to sign in interactively. Ensure your application is configured for the right account type in the “Supported account types” setting.