MS Entra ID (was Azure AD) enterprise auth

Kinde supports the use of Microsoft Entra ID (WS Federated and OpenID) as an enterprise-level authentication method. This service used to be Azure AD.

If you are importing users into Kinde, their Entra ID will be picked up and matched to the relevant connection based on their email address, for a seamless transition to Kinde.

Microsoft Entra ID is the new name for Microsoft Azure AD, which is Microsoft’s enterprise authentication service. This doc contains some mixed references as we update our Kinde interface for the change. More information.

Before you begin

Link to this section

• Your app needs to be registered with the Microsoft identity platform.
• You need the Client ID and Client Secret from the Microsoft app to connect to Kinde.
• We recommend you test connections in a non-production environment before activating in a live environment.

Add and configure the connection in Kinde

Link to this section

Add the connection

Link to this section

1. In Kinde, go to Settings > Environment > Authentication.
2. Scroll down to the Enterprise Connections section and select Add connections. The Add connection window opens.
3. Select the connection type you want to add and then select Save. Currently we support WS Federated and OpenID types. The connection type is added.

Configure the connection

Link to this section

1. On the tile for the new connection, select Configure.

2. Enter a Connection name. Make this something you can easily identify, especially if you are adding multiple connections for different business customers.

   If you plan to import users into Kinde, make sure the connection name matches the connection name in the Entra ID record.

3. Select if you want to treat this connection as a trusted provider. A trusted provider is one that guarantees the email they issue is verified. We recommend leaving this off for maximum security.

4. Enter your Microsoft Azure domain.

5. Enter the Client ID and Client secret as they appear in the MS Azure portal. Make sure you use the Value of the client secret.

6. Enter Home realm domains. This speeds up the sign in process for users of those domains. Note that all home realm domains must be unique across all connections in an environment. For more information about how, see Home realm domains or IdP discovery.

7. If you want, select the Use common endpoint option. Recommended if you use multi-tenancy.

8. Select Extended profile if you want to sync the additional information stored in a user’s Microsoft profile to their Kinde user profile.

9. If you want to sync user groups, select Get user groups. Recommended if you manage permissions and access via user groups in Microsoft. You also need to do some additional setup, see below.

   Extended attributes data is included in the extra_claims object of the access token.

10. If you want, select Sync user profiles and attributes on sign in. Recommended to keep Kinde user profile data in sync with user profile data from Microsoft. If you choose this option, ensure that the global profile sync preference is also switched on in Settings > Environment > Policies.

11. If you want to enable just-in-time (JIT) provisioning, select the Create a user record in Kinde option. This saves time adding users manually or via API later.

12. Copy the Callback URL. You’ll need to enter this in your Microsoft app.

13. In the Applications section, select the applications you want to activate the connection for.

14. Select Save.

(Optional) Sync Entra ID groups with Kinde

Link to this section

Add groups claim to MS Entra ID app

Link to this section

1. Open your application in the MS Azure Portal.
2. Go to Token configuration in the left menu.
3. Select Add groups claim.
4. In the window that appears, select the groups to be included in tokens.

5. If you want, customize the token properties by type.
6. Save your changes.

For reference, see this Microsoft doc about configuring optional claims

Customize ID token in Kinde

Link to this section

1. Open your application in Kinde.
2. Go to Tokens.
3. Scroll to Token customization and select Configure on the ID tokens tile.
4. Switch on Social identity as an additional claim.
5. Select Save.

Access group info in tokens

Link to this section

• ID token - ext_provider > claims > profile > groups
• Access token - ext_groups

Add the callback URL to MS Azure

Link to this section

1. Open your application in the MS Azure Portal.
2. Select the Redirect URIs links on the right.
3. Select Add URI.
4. In the relevant field, enter your callback URL (from Step 9 above)
5. Select Save.

Make sure you test each connection before enabling in production for your users.

Test the connection

Link to this section

1. Go to your test application and attempt to sign in.
2. If you left the Home realm domains field blank in Kinde, when you launch your application, you should see a button to sign in. Click it and go to step 4.
3. If you completed the Home realm domains field, you should be redirected immediately to your IdP sign in screen.
4. Enter your IdP details and complete any additional authentication required.

Edit or disconnect a connection

Link to this section

1. In Kinde, go to Settings > Environment > Authentication.
2. Scroll down to the Enterprise Connections section and select Configure on the connection you want to edit.
3. In the connection details window, update the settings you want.
4. In the Applications section, disconnect or reconnect your applications.
5. Select Save.

Delete an enterprise connection

Link to this section

Before you delete a connection, make sure that there are no users relying on it for authentication. Once deleted, the sign in option becomes unavailable to users. This action can’t be reversed.

1. In Kinde, go to Settings > Environment > Authentication.
2. Scroll down to the Enterprise Connections section and select the three dots on the tile for the connection, then select Delete connection.
3. In the confirmation window, select Delete connection.

Sign out behaviour for user session

Link to this section

If your users sign in via the Entra ID (formerly Azure AD) enterprise connection in Kinde, when they sign out, they are just signing out of Kinde. They are not fully being signed out of Entra ID.

It also works this way for social connections, where a third party is the identity provider.