# `AshAuthentication.Strategy.Microsoft`
[🔗](https://github.com/team-alembic/ash_authentication/blob/main/lib/ash_authentication/strategies/microsoft.ex#L5)

Strategy for authenticating using [Microsoft](https://microsoft.com)

This strategy builds on-top of `AshAuthentication.Strategy.Oidc` and
[`assent`](https://hex.pm/packages/assent).

It uses Microsoft's OpenID Connect discovery endpoint to automatically
retrieve token, authorization, and user info URLs. User identity claims
(email, name, etc.) are extracted from the ID token returned during the
authorization code flow.

In order to use Microsoft you need to provide the following minimum configuration:

  - `client_id`
  - `redirect_uri`
  - `client_secret`

By default the strategy uses the `common` tenant endpoint, which allows any
Microsoft account (personal, work, or school). Multi-tenant issuer validation
is handled automatically — the `{tenantid}` template in Microsoft's discovery
document is resolved from the ID token's `tid` claim before validation.

To restrict sign-in to a specific Azure tenant, override `base_url`:

    base_url "https://login.microsoftonline.com/YOUR_TENANT_ID/v2.0"

## More documentation:
- The [Microsoft OpenID Connect Overview](https://learn.microsoft.com/en-us/entra/identity-platform/v2-protocols-oidc).
- The [Microsoft Tutorial](/documentation/tutorials/microsoft.md)
- The [OIDC documentation](`AshAuthentication.Strategy.Oidc`)

# `transform`

# `verify`

---

*Consult [api-reference.md](api-reference.md) for complete listing*