Skip to content

Add Microsoft 365 login

You can add Microsoft 365 login to your applications using WSO2 Identity Server and enable users to log in with their Microsoft 365 accounts.

Follow this guide for instructions.

Register WSO2 Identity Server on Microsoft

You need to register WSO2 Identity Server as an OAuth2.0 application on Microsoft.


For detailed instructions, you can follow the Microsoft documentation.

  1. Sign in to the Azure Portal using an account with administrator permission.


    You must use an account in the same Microsoft 365 subscription (tenant) with which you intend to register the app.

  2. On the Azure portal, go to Azure Services > Microsoft Entra ID.

  3. Click Add and select App registration from the list.

  4. Provide the required information for app registration.

    Register an application on the Azure Portal

    Parameter Description
    Name Enter a meaningful name for your application.
    Supported Account Type Select the supported account type. If you wish for users to use only Microsoft 365 accounts, select either the first or the second option. Learn more about account types in the Microsoft documentation.
    Redirect URI Select Web as the platform and provide the URL to redirect after the login is completed.
    Value: https://localhost:9443/commonauth

  5. Click Register to create the application.


    Take note of the client ID after the application is created.

Now, let's generate a client secret for the application.

  1. Go to Certificates & secrets on the left navigation and click + New client secret.

  2. Enter a description for the client secret and select the expiry time.

  3. Click Add to add the client secret.


    Take note of the generated Value. Azure will allow copying this value only once. This value is the newly generated client secret for your Microsoft connection in WSO2 Identity Server.

Register the Microsoft 365 IdP

Now, let's register the Microsoft IdP in WSO2 Identity Server.

  1. On the WSO2 Identity Server Console, go to Connections.

  2. Click Create Connection and select Custom Connector.

  3. Provide a name and a description for the connector and click Finish.

    Create a custom connector

  4. On the created custom connector, go to the Settings tab.

  5. Click New Authenticator, select Office 365 and click Next.

  6. Enter the following details of the Microsoft identity provider and click Finish:

    Add Microsoft IDP in WSO2 Identity Server

    Parameter Description
    Name A unique name for this Microsoft identity provider.
    Client ID The client ID obtained from Microsoft.
    Client secret The client secret obtained from Microsoft.
    Additional Query Parameters Additional parameters that will be sent in the authorization request. Learn more about URI parameters in the Microsoft documentation.

When a user logs in with an external identity provider using the same email address registered in a local account, JIT-provisioning overrides the attributes of the local account with the attributes received from the external identity provider.

WSO2 Identity Server, by default, disables Just-In-Time (JIT) user provisioning for your external identity provider.

To enable JIT-provisioning,

  1. On the WSO2 Identity Server Console, click Connections and select the relevant connection.

  2. Go to the Just-in-Time Provisioning tab of the selected connection.

  3. Check/Uncheck the Just-in-Time (JIT) User Provisioning checkbox to enable/disable it.

    enable/disable JIT user provisioning

  4. Click Update to save the changes.


Enable Microsoft 365 login

Before you begin

You need to register an application with WSO2 Identity Server. You can register your own application or use one of the sample applications provided.

To enable Microsoft login:

  1. On the WSO2 Identity Server Console, go to Applications.

  2. Select your application, go to the Login Flow tab and add Microsoft login from your preferred editor:

    1. Go to Predefined Flows > Basic Flows > Add Passwordless login.

    2. Select the Microsoft 365 connection.

    3. Click Confirm to add Microsoft 365 to the sign-in flow.

      Configuring IWA in WSO2 Identity Server using the Visual Editor


    It is recommended to add your social and enterprise connections to the first authentication step as they are used for identifying the user.

  3. Click Update to save your changes.

Try it out

Follow the steps given below.

  1. Access the application URL.

  2. Click Login to open the WSO2 Identity Server login page.

  3. On the WSO2 Identity Server login page, Sign in with Microsoft 365.

    Login with Microsoft

  4. Log in using an existing Microsoft 365 account.


When a user successfully logs in with Microsoft 365 for the first time, a user account is created in the WSO2 Identity Server Console with the Microsoft 365 username. Microsoft will manage this new user account.

Configure user attributes

Configuring attributes for an Identity Provider (IdP) involves mapping the attributes available in the external IdP to local attributes. This is done so that WSO2 Identity Server can identify the user attributes in the response sent from the external IdP.

To do so,

  1. On the WSO2 Identity Server Console, click Connections.

  2. Select the relevant IdP connection from the list and click Set up.

  3. Go to the Attributes tab and under Identity Provider Attribute Mappings, click Add Attribute Mapping.

    Go to attributes section in IdP

  4. Enter the external attribute, select the corresponding local attribute to which it maps and click Add Attribute Mapping.

    Map IdP attributes

  5. Click Save to save the entries.

  6. Under Subject, select a Subject Attribute that will be used to uniquely identify the user.

  7. Under Provisioning Attributes Selection, select the required attributes that needs to be sent in the response to provision the user in WSO2 Identity Server.

  8. Click Update to save the changes.

Configure connection

To learn more about other configurations available for the connection, refer to the add federated login documentation.