Docs menu: Microsoft strategy

Provider strategy

vestibule_microsoft

Microsoft OAuth strategy using Microsoft Graph /me, with helpers for tenant-specific sign-in.

When to use it

Use Microsoft when users authenticate with Microsoft personal, work, or school accounts.

Default scopes: User.Read by default; tenant validation also requests openid.

Install

gleam add vestibule_microsoft

Setup shape

Create a Microsoft Entra ID app registration.
Choose supported account types that match your tenant behavior.
Add Web redirect URIs for development and production.
Copy the Application client ID and client secret value.

Usage

import vestibule/config
import vestibule_microsoft

let strategy = vestibule_microsoft.strategy()

let tenant_strategy =
  vestibule_microsoft.strategy_for_tenant(
    "72f988bf-86f1-41af-91ab-2d7cd011db47",
  )

let cfg =
  config.new(
    "microsoft-client-id",
    "microsoft-client-secret",
    "http://localhost:8000/auth/microsoft/callback",
  )

What Vestibule handles

The default strategy uses /common and performs no tenant validation.
strategy_for_tenant targets tenant-specific endpoints.
Tenant validation checks the tid claim in the returned ID token.
userPrincipalName is exposed as nickname, not verified email.

Notes to keep explicit

Pass the tenant GUID, not a verified domain, when restricting to one tenant.
Microsoft Graph /me does not include profile photos; fetch photos separately if needed.