Manage users across organizations
Manage users
MS Entra ID (was Azure AD) enterprise auth
Kinde supports the use of Microsoft Entra ID as an authentication method. We support WS Federated and OAuth2.0 (follow the topic below), and Microsoft Entra ID SAML which is covered in a separate topic.
If you import users into Kinde, their Entra ID will be picked up and matched to the relevant connection based on their email address, for a seamless transition to Kinde.
You can also pass upstream params to the IdP as part of this procedure.
Before you begin
Link to this section- Register an app in the Microsoft Entra Admin Center See the docs here.
- Copy the Client ID and Client Secret from the Microsoft app.
- We recommend you test connections in a non-production environment before activating in a live environment.
Step 1: Add and configure the connection in Kinde
Link to this sectionAdd a connection for a specific organization
Link to this section- Go to Organizations and open the organization.
- In the menu, select Authentication, then select Add connection.
- In the Add connection window, select New enterprise connection, then click Next.
- Select the Microsoft connection type you want (WS Federated or OAuth2.0) and then select Next.
- Next: ‘Step 2: Configure the connection’.
Add a connection that can be shared across multiple organizations
Link to this section- Go to Settings > Environment > Authentication.
- Scroll to the Enterprise connection section and select Add connection. The Add connection window opens.
- Select the Microsoft connection type you want (WS Federated or OAuth2.0) and then select Save.
- Next: ‘Step 2: Configure the connection’.
Step 2: Configure the connection
Link to this section-
Enter a Connection name. Make this something you can easily identify, especially if you are adding multiple connections for different business customers.
-
Enter your Microsoft Entra domain.
-
Enter the Client ID and Client secret as they appear in the MS Entra application. Make sure you use the Value of the client secret.
-
Enter Home realm domains. This speeds up the sign in process for users of those domains. Note that all home realm domains must be unique across all connections in an environment. For more information about how, see Home realm domains or IdP discovery.
-
If you use home realm domains, the sign in button is hidden on the auth screen by default. To show the SSO button, select the Always show sign-in button option.
-
If you want, select the Use common endpoint option. Recommended if you use multi-tenancy.
-
Select Extended profile if you want to sync the additional information stored in a user’s Microsoft profile to their Kinde user profile. Extended attributes data is included in the
extra_claimsobject of the access token. -
If you want to sync user groups, select Get user groups. Recommended if you manage permissions and access via user groups in Microsoft. You also need to do some additional setup, see below.
-
Select if you want to treat this connection as a trusted provider. A trusted provider is one that guarantees the email they issue is verified. We recommend leaving this off for maximum security.
-
If you want, select Sync user profiles and attributes on sign in. Recommended to keep Kinde user profile data in sync with user profile data from Microsoft. If you choose this option, ensure that the global profile sync preference is also switched on in Settings > Environment > Policies.
-
If you want to enable just-in-time (JIT) provisioning, select the Create a user record in Kinde option. This saves time adding users manually or via API later.
-
Add any upstream params that you want to pass to the IdP.
-
Copy the Callback URL. You’ll need to enter this in your Entra ID app.
-
Select Save.
Step 3: Add the callback URL to your Entra ID app
Link to this section- Open your application in the Portal.
- Select the Redirect URIs links on the right.
- Select Add URI.
- In the relevant field, enter your callback URL (from the ‘Configure the connection’ procedure above)
- Select Save.
Step 4: Enable the connection in Kinde
Link to this sectionMake sure you test the connection before enabling in production for your users.
- Open the connection configuration page in Kinde.
- Switch on the connection. This will make it instantly available to users if this is your production environment.
- For environment-level connections, scroll down and select the apps that will use the auth method.
- For organization-level connections, scroll down and select if you want to switch this on for the org.
- Select Save.
(Optional) Sync Entra ID groups with Kinde
Link to this sectionAdd groups claim to MS Entra ID app
Link to this section- Open your application in the Portal.
- Go to Token configuration in the left menu.
- Select Add groups claim.
- In the window that appears, select the groups to be included in tokens.
- If you want, customize the token properties by type.
- Save your changes.
For reference, see this Microsoft doc about configuring optional claims
Customize ID token in Kinde
Link to this section- Open your application in Kinde.
- Go to Tokens.
- Scroll to Token customization and select Configure on the ID tokens tile.
- Switch on Social identity as an additional claim.
- Select Save.
Access group info in tokens
Link to this section- ID token -
ext_provider > claims > profile > groups - Access token -
ext_groups
Step 4: Test the connection
Link to this section- Go to your test application and attempt to sign in.
- If you left the Home realm domains field blank in Kinde, when you launch your application, you should see a button to sign in. Click it and go to step 4.
- If you completed the Home realm domains field, you should be redirected immediately to your IdP sign in screen.
- Enter your IdP details and complete any additional authentication required.