Add Microsoft as an EASIE connection
Enabling EASIE SSO with Microsoft (formerly Active Directory) allows your users to sign up and sign in to your Clerk application with their Microsoft account.
Configure for your development instance
For development instances, Clerk uses preconfigured shared credentials and redirect URIs—no other configuration is needed.
- In the Clerk Dashboard, navigate to the SSO connections page.
- Select Add connection and select For specific domains or organizations.
- Under EASIE, select Microsoft.
- Enter the Domain. This is the email domain of the users you want to allow to sign in to your application. Optionally, select an Organization.
- Select Add connection.
Configure for your production instance
For production instances, you must provide custom credentials. If you already configured Microsoft as a social provider, you can skip this step. EASIE SSO will automatically use the credentials you configured for your social connection.
To make the setup process easier, it's recommended to keep two browser tabs open: one for the Clerk Dashboard and one for your Microsoft Azure portal.
Enable Microsoft as an EASIE connection
- In the Clerk Dashboard, navigate to the SSO connections page.
- Select Add connection and select For specific domains or organizations.
- Under EASIE, select Microsoft.
- Enter the Domain. This is the email domain of the users you want to allow to sign in to your application. Optionally, select an Organization.
- Save the Redirect URI somewhere secure. Keep this modal and page open.
Create a Microsoft Entra ID app
- On the homepage of the Microsoft Azure portal, in the Azure services section, select Microsoft Entra ID.
- In the sidenav, open the Manage dropdown and select App registrations.
- Select New Registration. You'll be redirected to the Register an application page.
- Complete the form as follows:
- Under Name, enter your app name.
- Under Supported account types, select Accounts in any organizational directory (Any Microsoft Entra ID tenant - Multitenant) and personal Microsoft accounts (e.g. Skype, Xbox).
- Under Redirect URI (Optional), select Web as the platform and enter the Redirect URI you saved from the Clerk Dashboard.
- Select Register to submit the form. You'll be redirected to the Overview page of your new app. Keep this page open.
 
Get your Client ID and Client Secret
- From your app's Overview page, save the Application (client) ID somewhere secure.
- In the sidenav, select Certificates & secrets.
- Select New client secret.
- In the modal that opens, enter a description and set an expiration time for your secret.
- Select Add.
- Save the Value somewhere secure.
Enable OpenID
- In the left sidenav, open the Manage dropdown and select Authentication.
- In the Front-channel logout URL field, paste the Redirect URI you copied from the Clerk Dashboard.
- Under Implicit grant and hybrid flows, check both Access tokens and ID tokens.
- Select Save to save the changes.
Secure your app against the nOAuth vulnerability
nOAuth is an exploit in Microsoft Entra ID OAuth apps that can lead to account takeovers via email address spoofing. Clerk mitigates this risk by enforcing stricter checks on verified email addresses.
For further security, Microsoft offers an optional xms_edov claim, which provides additional context to determine whether the returned email is verified.
To enable it, you must:
- In the left sidenav, in the Manage dropdown, select Token configuration.
- Select Add optional claim.
- For the Token type, select ID. Then, in the table that opens, enable the emailandxms_pdlclaims.
- At the bottom of the modal, select Add. A new modal will prompt you to turn on the Microsoft Graph email permission. Enable it, then select Add to complete the form.
- Repeat the previous steps but for Token type, select Access instead of ID. The Optional claims list should now show two claims for emailand two forxms_pdl: one each for ID and Access.
- In the left sidenav, in the Manage dropdown, select Manifest.
- In the text editor, search for "acceptMappedClaims"and set its value fromnulltotrue.
- Search for "optionalClaims", where you'll find theidTokenandaccessTokenarrays. Each array has an object with the namexms_pdl. Change the name toxms_edov.
- At the top of the page, select Save.
- In the left sidenav, in the Manage dropdown, select Token configuration to confirm that the Optional claims list includes two claims for emailand two forxms_edov: one each for ID and Access.
With these steps complete, Microsoft will send the xms_edov claim in the token, which Clerk will use to determine whether the email is verified, even when used with Microsoft Entra ID.
Set the Client ID and Client Secret in the Clerk Dashboard
- Navigate back to the Clerk Dashboard where the modal should still be open. Paste the Client ID and Client Secret values that you saved into the respective fields.
- Select Add connection.
Test your connection
The simplest way to test your connection is to visit your Clerk app's Account Portal, which is available for all Clerk apps out-of-the-box.
- In the Clerk Dashboard, navigate to the Account Portal page.
- Next to Sign-in, select the button to visit the sign-in page. The URL should resemble:
- For development - https://your-domain.accounts.dev/sign-in
- For production - https://accounts.your-domain.com/sign-in
 
- For development - 
- Sign in with your connection's credentials.
Feedback
Last updated on