> For the complete documentation index, see [llms.txt](https://docs.defguard.net/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.defguard.net/1.4/features/external-openid-providers/microsoft.md).

# Microsoft

1. Go to [https://portal.azure.com/](https://portal.azure.com)
2. Navigate to Microsoft Entra ID
3. In the Microsoft Entra ID, click Manage and select App registrations from the menu on the left.

   <figure><img src="/files/UkcIGM4uCHWXZsZMOSkr" alt=""><figcaption></figcaption></figure>
4. Click "Make new registration"
5. Fill out the form, like in the example:

   <figure><img src="/files/AEI5kG4vMjFohMd9I9RQ" alt=""><figcaption></figcaption></figure>

Make sure the Redirect URL you insert here is correct. Replace `defguard.example.com` with the domain you use for your Defguard dashboard. If you'd like to use OpenID enrollment through proxy, make sure to enter an additional URI here in the form of `<DEFGUARD_ENROLLMENT_URL>/openid/callback`.

6. You should be now on the registered application's management screen. You can copy the client's ID and the tenant ID from here, as you need to provide them on the Defguard settings' page.

   <figure><img src="/files/263Fp2omSohIubuvV6q2" alt=""><figcaption></figcaption></figure>
7. Go to Defguard settings, click the OpenID tab and paste the copied client ID. The tenant ID should be inserted instead of the `<TENANT_ID>` placeholder in the base URL field.
8. Now back in Microsoft Entra ID, still in your newly created application, go to **Certificates & Secrets**

   <figure><img src="/files/SL84PrfFumQOTi9yzBVo" alt=""><figcaption></figcaption></figure>
9. Click Client secrets and create a new client secret. Copy its **value** and paste it in your Defguard OpenID settings.
10. Go to Token configuration (in the menu on the left) and add a new optional token claim.
11. Make sure to select the ID token type and the following claims:

    <figure><img src="/files/Srua6oTjqgAfP0TGBA1g" alt=""><figcaption></figcaption></figure>
12. Accept the popup or configure the API permissions manually.

<figure><img src="/files/L5EIqsAEDsRB0MLH5tfz" alt=""><figcaption></figcaption></figure>

13. Now you should be good to go. A new login button should appear on the login screen.

### Directory synchronization

{% hint style="info" %}
This feature is available only in Defguard 1.2.1 and above
{% endhint %}

{% hint style="warning" %}
This feature is currently technically limited to 10000 members or groups. High user or group counts may still trigger your provider API limits even below this threshold. If you have many users (200+), we recommend you test this feature first before you decide to turn on automatic user deletion.
{% endhint %}

Defguard supports synchronizing groups' and users' states based on your Microsoft directory.

Make sure to check the [general guide to directory synchronization](/1.4/features/external-openid-providers.md#directory-synchronization) to learn more about the available configuration options.

#### Setup

1. Go back to your app registrations in Microsoft Entra ID and select the app you registered during the provider setup.

2. Navigate to API permissions<br>

   <figure><img src="/files/Udo2VebMe3vNGfGOpnJO" alt=""><figcaption></figcaption></figure>

3. Click "Add a permission", then select "Microsoft Graph"<br>

   <figure><img src="/files/Spg6f8U8JlshvbTeh83W" alt=""><figcaption></figcaption></figure>

4. Select "Application permissions", as Defguard will perform the synchronization in the background.<br>

   <figure><img src="/files/zPNWWo6AiPfWMl12VAtz" alt=""><figcaption></figcaption></figure>

5. Assign the following permissions:
   * `GroupMember.Read.All`
   * `Group.Read.All`
   * `User.Read.All`

6. Now grant admin consent for the permissions using the "Grant admin consent for" button<br>

   <figure><img src="/files/JUdZY5BzeQEgvtTigtqd" alt=""><figcaption></figcaption></figure>

7. You should be good to go now. Navigate to the directory sync settings in Defguard and try to test your setup using the test connection button.


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter:

```
GET https://docs.defguard.net/1.4/features/external-openid-providers/microsoft.md?ask=<question>&goal=<endgoal>
```

`ask` is the immediate question: it should be specific, self-contained, and written in natural language.
`goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal.

The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.