# Microsoft

This guide explains how to configure Microsoft OAuth authentication for the DataSpace application.

### Prerequisites

* A Microsoft Azure Active Directory (Azure AD) tenant
* Admin access to create app registrations in Azure AD

{% stepper %}
{% step %}

### Create Azure AD App Registration

1. Go to the [Azure Portal](https://portal.azure.com/)
2. Navigate to **Azure Active Directory** > **App registrations**
3. Click **New registration**
4. Fill in the following details:
   * **Name**: `DataSpace Application` (or your preferred name)
   * **Supported account types**: Choose based on your needs:
     * "Accounts in this organizational directory only" (single tenant)
     * "Accounts in any organizational directory" (multi-tenant)
     * "Accounts in any organizational directory and personal Microsoft accounts" (multi-tenant + personal)
   * **Redirect URI**:
     * Platform: **Web**
     * URI: `https://your-domain.com/api/auth/microsoft-callback`
5. Click **Register**
   {% endstep %}

{% step %}

### Configure App Registration

#### Authentication

1. In your app registration, go to **Authentication**
2. Add additional redirect URIs if needed for different environments
3. Under **Implicit grant and hybrid flows**, enable:
   * Access tokens
   * ID tokens
4. Click **Save**

#### API Permissions

1. Go to **API permissions**
2. Click **Add a permission**
3. Select **Microsoft Graph**
4. Choose **Delegated permissions**
5. Add the following permissions:
   * `openid` (Sign users in)
   * `profile` (View users' basic profile)
   * `email` (View users' email address)
6. Click **Add permissions**
7. Click **Grant admin consent** (if you have admin rights)

#### Certificates & secrets

1. Go to **Certificates & secrets**
2. Click **New client secret**
3. Add a description (e.g., "DataSpace App Secret")
4. Choose expiration period (recommend 24 months)
5. Click **Add**

{% hint style="danger" %}
Important: Copy the secret value immediately after creating it. It won't be shown again.
{% endhint %}
{% endstep %}

{% step %}

### Configure Application Settings

#### Backend Configuration

Add the following environment variables to your application:

{% code title=".env" %}

```dotenv
MICROSOFT_CLIENT_ID=your-client-id-here
MICROSOFT_CLIENT_SECRET=your-client-secret-here
```

{% endcode %}
{% endstep %}
{% endstepper %}

### Support

* **Azure AD configuration**: Check Microsoft's [Azure AD documentation](https://docs.microsoft.com/en-us/azure/active-directory/)
* **Security concerns**: Review Microsoft's [OAuth security best practices](https://docs.microsoft.com/en-us/azure/active-directory/develop/security-best-practices-for-app-registration)