Sign in with Microsoft Entra ID aka Active Directory

​

Pre-requisites

First, you’ll need to enable user authentication within Mage. You can find out more about this in the Overview page.

​

Enable Microsoft sign in

There are two ways to enable Microsoft sign in. You can either register an application in your organization’s own Microsoft Entra ID, or use the default Mage application. We recommend registering your own application unless there is a specific reason you cannot do so.

​

Configurable environment variables

To configure the environment for Microsoft Azure Cloud and Microsoft Azure Gov Cloud sign-in, you need to set the following environment variables:

1. You can set the AZURE_HOST environment variable to one of the following based on your environment:

Public cloud host url: "https://login.microsoftonline.com"
China host url: "https://login.chinacloudapi.cn"
Germany host url: "https://login.microsoftonline.de"
Government host url: "https://login.microsoftonline.us"

2. You can set the MICROSOFT_GRAPH_API_HOST environment variable to one of the following basd on your environment:

Microsoft Graph global service: "https://graph.microsoft.com"
Microsoft Graph for US Government L4: "https://graph.microsoft.us"
Microsoft Graph for US Government L5 (DOD): "https://dod-graph.microsoft.us"
Microsoft Graph China operated by 21Vianet: "https://microsoftgraph.chinacloudapi.cn"

​

Map AD role to Mage role

You can map Active Directory roles to Mage roles by setting the ACTIVE_DIRECTORY_ROLES_MAPPING environment variable. The value should be a JSON object with the AD role as the key and the name of the Mage role as the value. For example:

export ACTIVE_DIRECTORY_ROLES_MAPPING='{"Mage.Edit": "Editor", "Mage.Admin": "Admin"}'

You can find the AD role value in the App roles section of your application in the Azure Portal.

When a user signs in for the first time with their Microsoft account, Mage will use this mapping to automatically add the appropriate roles to the user.