Azure AD / Entra ID OIDC Setup

This guide walks you through registering an application in Microsoft Entra ID (formerly Azure AD) and connecting it to Oore CI.

What you need

A Microsoft Azure account
Permission to register applications in your Entra ID tenant
Your Oore CI instance ready for setup

1. Register an application

Go to the Azure Portal — App registrations
Click New registration
Set:
- Name: Oore CI
- Supported account types: Choose based on who should access your instance
  - "Accounts in this organizational directory only" for single-tenant
  - "Accounts in any organizational directory" for multi-tenant
- Redirect URI: Select "Web" and enter http://127.0.0.1:4173/auth/callback
Click Register

For detailed instructions, see Register an application — Microsoft Entra.

2. Add additional redirect URIs

Go to Authentication in the app registration
Under Web > Redirect URIs, add:
- http://localhost:3000/auth/callback (dev mode)
- https://ci.oore.build/auth/callback (or your custom domain)
Click Save

Both setup and regular sign-in use the same /auth/callback path — you only need one URI per origin.

3. Create a client secret

Go to Certificates & secrets
Under Client secrets, click New client secret
Set a description and expiry period
Click Add
Copy the Value immediately (it's only shown once)

4. Find the issuer URL

Your Entra ID issuer URL follows this pattern:

https://login.microsoftonline.com/{tenant-id}/v2.0

Find your tenant ID on the Overview page of the app registration.

Verify discovery:

bash

curl "https://login.microsoftonline.com/{tenant-id}/v2.0/.well-known/openid-configuration" | jq .issuer

5. Find the client ID

The Application (client) ID is on the Overview page of the app registration.

6. Enter credentials in Oore CI

During setup, enter:

Field	Value
Issuer URL	`https://login.microsoftonline.com/{tenant-id}/v2.0`
Client ID	Application (client) ID from step 5
Client secret	Client secret value from step 3

Troubleshooting

"OIDC discovery failed"

Make sure the issuer URL includes /v2.0. The v1.0 endpoint has a different token format.

"ID token missing email claim"

Ensure your app registration requests the email scope and that users have email addresses in your tenant.

Azure AD / Entra ID OIDC Setup ​

What you need ​

1. Register an application ​

2. Add additional redirect URIs ​

3. Create a client secret ​

4. Find the issuer URL ​

5. Find the client ID ​

6. Enter credentials in Oore CI ​

Troubleshooting ​

"OIDC discovery failed" ​

"ID token missing email claim" ​

Reference ​