2020-10-29 11:09:12 -04:00
---
2022-05-12 23:08:13 -04:00
stage: Manage
group: Authentication and Authorization
2020-11-26 01:09:20 -05:00
info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/engineering/ux/technical-writing/#assignments
2020-10-29 11:09:12 -04:00
---
2022-03-02 16:16:54 -05:00
# Use Microsoft Azure as an authentication provider **(FREE SELF)**
You can enable the Microsoft Azure OAuth 2.0 OmniAuth provider and sign in to
GitLab with your Microsoft Azure credentials. You can configure the provider that uses
[the earlier Azure Active Directory v1.0 endpoint ](https://docs.microsoft.com/en-us/azure/active-directory/azuread-dev/v1-protocols-oauth-code ),
or the provider that uses the v2.0 endpoint.
2015-12-23 05:17:25 -05:00
2021-02-12 19:09:10 -05:00
NOTE:
2022-03-02 16:16:54 -05:00
For new projects, Microsoft suggests you use the
[OpenID Connect protocol ](../administration/auth/oidc.md#microsoft-azure ),
which uses the Microsoft identity platform (v2.0) endpoint.
## Register an Azure application
2021-02-12 19:09:10 -05:00
2021-08-20 05:09:16 -04:00
To enable the Microsoft Azure OAuth 2.0 OmniAuth provider, you must register
2022-03-02 16:16:54 -05:00
an Azure application and get a client ID and secret key.
1. Sign in to the [Azure portal ](https://portal.azure.com ).
1. If you have multiple Azure Active Directory tenants, switch to the desired tenant.
1. [Register an application ](https://docs.microsoft.com/en-us/azure/active-directory/develop/quickstart-register-app )
and provide the following information:
- The redirect URI, which requires the URL of the Azure OAuth callback of your GitLab
2022-03-08 16:20:24 -05:00
installation. For example:
- For the v1.0 endpoint: `https://gitlab.example.com/users/auth/azure_oauth2/callback` .
- For the v2.0 endpoint: `https://gitlab.example.com/users/auth/azure_activedirectory_v2/callback` .
2022-03-02 16:16:54 -05:00
- The application type, which must be set to **Web** .
1. Save the client ID and client secret. The client secret is only
displayed once.
If required, you can [create a new application secret ](https://docs.microsoft.com/en-us/azure/active-directory/develop/howto-create-service-principal-portal#option-2-create-a-new-application-secret ).
`client ID` and `client secret` are terms associated with OAuth 2.0.
In some Microsoft documentation, the terms are named `Application ID` and
`Application Secret` .
2022-03-08 16:20:24 -05:00
## Add API permissions (scopes)
If you're using the v2.0 endpoint, after you create the application, [configure it to expose a web API ](https://docs.microsoft.com/en-us/azure/active-directory/develop/quickstart-configure-app-expose-web-apis ).
Add the following delegated permissions under the Microsoft Graph API:
- `email`
- `openid`
- `profile`
Alternatively, add the `User.Read.All` application permission.
2022-03-02 16:16:54 -05:00
## Enable Microsoft OAuth in GitLab
2015-12-23 05:17:25 -05:00
2019-07-08 19:14:29 -04:00
1. On your GitLab server, open the configuration file.
2015-12-23 05:17:25 -05:00
2022-03-02 16:16:54 -05:00
- **For Omnibus installations**
2015-12-23 05:17:25 -05:00
2022-03-02 16:16:54 -05:00
```shell
sudo editor /etc/gitlab/gitlab.rb
```
2015-12-23 05:17:25 -05:00
2022-03-02 16:16:54 -05:00
- **For installations from source**
2015-12-23 05:17:25 -05:00
2022-03-02 16:16:54 -05:00
```shell
cd /home/git/gitlab
2015-12-23 05:17:25 -05:00
2022-03-02 16:16:54 -05:00
sudo -u git -H editor config/gitlab.yml
```
2015-12-23 05:17:25 -05:00
2022-03-02 16:16:54 -05:00
1. [Configure the initial settings ](omniauth.md#configure-initial-settings ).
2015-12-23 05:17:25 -05:00
2022-03-02 16:16:54 -05:00
1. Add the provider configuration. Replace `CLIENT ID` , `CLIENT SECRET` , and `TENANT ID`
with the values you got when you registered the Azure application.
2015-12-23 05:17:25 -05:00
2022-03-02 16:16:54 -05:00
- **For Omnibus installations**
2015-12-23 05:17:25 -05:00
2022-03-08 16:20:24 -05:00
For the v1.0 endpoint:
2022-03-02 16:16:54 -05:00
```ruby
gitlab_rails['omniauth_providers'] = [
{
name: "azure_oauth2",
# label: "Provider name", # optional label for login button, defaults to "Azure AD"
args: {
client_id: "CLIENT ID",
client_secret: "CLIENT SECRET",
tenant_id: "TENANT ID",
}
2019-07-08 19:14:29 -04:00
}
2022-03-02 16:16:54 -05:00
]
```
2015-12-23 05:17:25 -05:00
2022-03-08 16:20:24 -05:00
For the v2.0 endpoint:
```ruby
gitlab_rails['omniauth_providers'] = [
{
"name" => "azure_activedirectory_v2",
"label" => "Provider name", # optional label for login button, defaults to "Azure AD v2"
"args" => {
"client_id" => "CLIENT ID",
"client_secret" => "CLIENT SECRET",
"tenant_id" => "TENANT ID",
}
}
]
```
2022-07-21 05:09:01 -04:00
For [alternative Azure clouds ](https://docs.microsoft.com/en-us/azure/active-directory/develop/authentication-national-cloud ),
configure `base_azure_url` under the `args` section. For example, for Azure Government Community Cloud (GCC):
```ruby
gitlab_rails['omniauth_providers'] = [
{
"name" => "azure_activedirectory_v2",
"label" => "Provider name", # optional label for login button, defaults to "Azure AD v2"
"args" => {
"client_id" => "CLIENT ID",
"client_secret" => "CLIENT SECRET",
"tenant_id" => "TENANT ID",
"base_azure_url" => "https://login.microsoftonline.us"
}
}
]
```
2022-03-02 16:16:54 -05:00
- **For installations from source**
2015-12-23 05:17:25 -05:00
2022-03-08 16:20:24 -05:00
For the v1.0 endpoint:
2022-03-02 16:16:54 -05:00
```yaml
- { name: 'azure_oauth2',
# label: 'Provider name', # optional label for login button, defaults to "Azure AD"
args: { client_id: 'CLIENT ID',
2022-07-21 05:09:01 -04:00
client_secret: 'CLIENT SECRET',
tenant_id: 'TENANT ID' } }
2022-03-02 16:16:54 -05:00
```
2017-08-26 13:47:12 -04:00
2022-03-08 16:20:24 -05:00
For the v2.0 endpoint:
```yaml
- { name: 'azure_activedirectory_v2',
label: 'Provider name', # optional label for login button, defaults to "Azure AD v2"
args: { client_id: "CLIENT ID",
2022-07-21 05:09:01 -04:00
client_secret: "CLIENT SECRET",
tenant_id: "TENANT ID" } }
```
For [alternative Azure clouds ](https://docs.microsoft.com/en-us/azure/active-directory/develop/authentication-national-cloud ),
configure `base_azure_url` under the `args` section. For example, for Azure Government Community Cloud (GCC):
```yaml
- { name: 'azure_activedirectory_v2',
label: 'Provider name', # optional label for login button, defaults to "Azure AD v2"
args: { client_id: "CLIENT ID",
client_secret: "CLIENT SECRET",
tenant_id: "TENANT ID",
base_azure_url: "https://login.microsoftonline.us" } }
2022-03-08 16:20:24 -05:00
```
2022-07-21 05:09:01 -04:00
In addition, you can optionally add the following parameters to the `args` section:
2022-03-08 16:20:24 -05:00
2022-07-21 05:09:01 -04:00
- `scope` for [OAuth2 scopes ](https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-auth-code-flow ). The default is `openid profile email` .
2015-12-23 05:17:25 -05:00
2019-07-08 19:14:29 -04:00
1. Save the configuration file.
2015-12-23 05:17:25 -05:00
2022-03-02 16:16:54 -05:00
1. [Reconfigure GitLab ](../administration/restart_gitlab.md#omnibus-gitlab-reconfigure )
if you installed using Omnibus, or [restart GitLab ](../administration/restart_gitlab.md#installations-from-source )
if you installed from source.
2015-12-23 05:17:25 -05:00
2022-03-02 16:16:54 -05:00
1. Refresh the GitLab sign-in page. A Microsoft icon should display below the
sign-in form.
2020-11-16 13:09:15 -05:00
2022-03-02 16:16:54 -05:00
1. Select the icon. Sign in to Microsoft and authorize the GitLab application.
2020-11-16 13:09:15 -05:00
2022-03-02 16:16:54 -05:00
Read [Enable OmniAuth for an existing user ](omniauth.md#enable-omniauth-for-an-existing-user )
for information on how existing GitLab users can connect to their new Azure AD accounts.
