Microsoft Azure Authentication Provider
The Backstage core-plugin-api package comes with a Microsoft authentication
provider that can authenticate users using Azure OAuth.
Create an App Registration on Azure
To support Azure authentication, you must create an App Registration:
- Log in to the Azure Portal
- Create an Active Directory Tenant, if one does not yet exist
- Navigate to Azure Active Directory > App Registrations
- Register an application
- Name: Backstage (or your custom app name)
- Redirect URI: Web >
http://localhost:7007/api/auth/microsoft/handler/frame
- Navigate to Certificates & secrets > New client secret to create a secret
Configuration
The provider configuration can then be added to your app-config.yaml under the
root auth configuration:
auth:
environment: development
providers:
microsoft:
development:
clientId: ${AUTH_MICROSOFT_CLIENT_ID}
clientSecret: ${AUTH_MICROSOFT_CLIENT_SECRET}
tenantId: ${AUTH_MICROSOFT_TENANT_ID}
The Microsoft provider is a structure with three configuration keys:
clientId: Application (client) ID, found on App Registration > OverviewclientSecret: Secret, found on App Registration > Certificates & secretstenantId: Directory (tenant) ID, found on App Registration > Overview
Outbound Network Access
If your environment has restrictions on outgoing access (e.g. through firewall rules), make sure your Backstage backend has access to the following hosts:
login.microsoftonline.com, to get and exchange authorization codes and access tokensgraph.microsoft.com, to fetch user profile information (as seen in this source code). If this host is unreachable, users may see anAuthentication failed, failed to fetch user profileerror when they attempt to log in.
Adding the provider to the Backstage frontend
To add the provider to the frontend, add the microsoftAuthApiRef reference and
SignInPage component as shown in
Adding the provider to the sign-in page.