az login az account show --query tenantDefaultDomain -o tsv # Create user az ad user create --display-name "John Doe" --user-principal-name jdoe@publicanub.onmicrosoft.com --password "P@ssw0rd123" --mail-nickname jdoe az ad user list --output table # Register app (OIDC) az ad app create --display-name "testapp3" --web-redirect-uris "http://localhost:3000/callback" --sign-in-audience "AzureADMultipleOrgs" ## --web-redirect-uris: where Azure AD sends auth responses after sign-in ## --sign-in-audience: AzureADMyOrg (your tenant only) | AzureADMultipleOrgs (any tenant) | AzureADandPersonalMicrosoftAccount (any tenant + personal outlook/hotmail) az ad app list --display-name "testapp3" --output table # Update existing app to allow all tenants az ad app update --id --sign-in-audience AzureADMultipleOrgs ## can restrict to specific tenants by checking tid in your app code az ad app update --id ec014b23-edde-4a09-9a41-36bff5630829 --sign-in-audience AzureADMultipleOrgs # Create client secret (save the password from output) az ad app credential reset --id --append az ad app credential reset --id ec014b23-edde-4a09-9a41-36bff5630829 --append { "appId": "ec014b23-edde-4a09-9a41-36bff5630829", "password": "Y.Q8Q~HuoEbCsICK18eG4oAtqjMe5eGyWSilLaZI", "tenant": "23c95e59-28bd-472a-bbd4-4e310dd8f031" } # instructions for demo npm i npm start # go to localhost:3000 # click on "Sign In with Azure AD", verify, follow the link, and put the created user's name and password into microsoft's login page it should redirect back to localhost:3000 wiht a success # how the app works the login redirects to microsoft-hosted login page for the appid after login, microsoft redirects back to localhost with an authorization code (not tokens directly) the server exchanges that code + client secret for jwt tokens via a server-to-server call (so tokens never pass through the browser) (the code alone is useless without the client secret, so intercepting it doesn't help) the server then verifies the jwt signature with microsoft's public keys from "https://login.microsoftonline.com/common/discovery/v2.0/keys"