LibreChat
ConfigurationAuthenticationOAuth2 & OIDC

Azure Entra

Learn how to configure LibreChat to use Azure Entra for user authentication.

  1. Go to the Azure Portal and sign in with your account.
  2. In the search box, type "Azure Entra" and click on it.
  3. On the left menu, click on App registrations and then on New registration.
  4. Give your app a name and select Web as the platform type.
  5. In the Redirect URI field, enter http://localhost:3080/oauth/openid/callback and click on Register.

image

  1. You will see an Overview page with some information about your app. Copy the Application (client) ID and the Directory (tenant) ID and save them somewhere.

image

  1. On the left menu, click on Authentication and check the boxes for Access tokens and ID tokens under Implicit grant and hybrid flows.

image

  1. On the left menu, click on Certificates & Secrets and then on New client secret. Give your secret a name and an expiration date and click on Add. You will see a Value column with your secret. Copy it and save it somewhere. Don't share it with anyone!

image

  1. If you want to restrict access by groups you should add the groups claim to the token. To do this, go to Token configuration and click on Add group claim. Select the groups you want to include in the token and click on Add.

image

  1. Open the .env file in your project folder and add the following variables with the values you copied:
DOMAIN_CLIENT=https://your-domain.com # use http://localhost:3080 if not using a custom domain
DOMAIN_SERVER=https://your-domain.com # use http://localhost:3080 if not using a custom domain
 
# enable social login or else OpenID button will not appear on login page
ALLOW_SOCIAL_LOGIN=true
 
OPENID_CLIENT_ID=Your Application (client) ID
OPENID_CLIENT_SECRET=Your client secret
OPENID_ISSUER=https://login.microsoftonline.com/Your Directory (tenant ID)/v2.0/
OPENID_SESSION_SECRET=Any random string
OPENID_SCOPE=openid profile email #DO NOT CHANGE THIS
OPENID_CALLBACK_URL=/oauth/openid/callback # this should be the same for everyone
 
OPENID_REQUIRED_ROLE_TOKEN_KIND=id
 
# If you want to restrict access by groups
OPENID_REQUIRED_ROLE_PARAMETER_PATH="roles"
OPENID_REQUIRED_ROLE="Your Group Name" # Single role or comma-separated roles (e.g., Group1,Group2,Admin)
 
# Optional: redirects the user to the end session endpoint after logging out
OPENID_USE_END_SESSION_ENDPOINT=true
  1. Save the .env file

Note: If using docker, run docker compose up -d to apply the .env configuration changes

Advanced: Token Reuse

LibreChat supports reusing Azure Entra ID tokens for session management, which can provide better integration with your Azure environment. This feature allows LibreChat to use Azure's refresh tokens instead of managing its own session tokens.

To learn more about this feature and how to configure it, see Re-use OpenID Tokens for Login Session.

Advanced: Microsoft Graph API Integration

When using Azure Entra ID as your OpenID provider, you can enable Microsoft Graph API integration to enhance the permissions and sharing system with people and group search capabilities.

Prerequisites

  1. Your Azure app registration must have the appropriate Microsoft Graph API permissions
  2. Admin consent may be required for certain Graph API scopes (like GroupMember.Read.All)

Adding Graph API Permissions

  1. In your Azure app registration, go to API permissions
  2. Click Add a permission > Microsoft Graph > Delegated permissions
  3. Add these permissions:
    • User.Read - Sign in and read user profile
    • People.Read - Read user contacts
    • GroupMember.Read.All - Read all group memberships
    • User.ReadBasic.All - Read all users' basic profiles
  4. Click Grant admin consent if required (you'll need admin privileges)

Configuration

Required: Enable Token Reuse

Important: You MUST enable OpenID token reuse for this feature to work:

OPENID_REUSE_TOKENS=true

See Token Reuse Configuration above for details.

Add the following environment variables to your .env file:

# Enable Entra ID people search in permissions/sharing
USE_ENTRA_ID_FOR_PEOPLE_SEARCH=true
 
# Include group owners as members when searching groups
ENTRA_ID_INCLUDE_OWNERS_AS_MEMBERS=true
 
# Microsoft Graph API scopes (these are automatically included with the OpenID scopes)
OPENID_GRAPH_SCOPES=User.Read,People.Read,GroupMember.Read.All,User.ReadBasic.All

When enabled, the people picker in the permissions and sharing dialogs will:

  • Search both local LibreChat users and Azure Entra ID users
  • Display user profiles with names and emails from your organization
  • Allow searching and selecting Azure Entra ID groups
  • Show group members based on your Graph API permissions

Notes

  • Token reuse (OPENID_REUSE_TOKENS=true) is mandatory for this feature to work
  • The OPENID_GRAPH_SCOPES are automatically appended to your existing OPENID_SCOPE during authentication
  • Group search requires the GroupMember.Read.All permission, which typically needs admin consent
  • User search works with basic User.Read, People.Read, and User.ReadBasic.All permissions

Advanced: SharePoint Integration

LibreChat can integrate with SharePoint Online and OneDrive for Business, allowing users to browse and attach files directly from their SharePoint libraries.

Prerequisites

  1. All requirements from Token Reuse must be met
  2. Your Azure app registration needs additional SharePoint permissions

Adding SharePoint Permissions

  1. In your Azure app registration, go to API permissions
  2. Click Add a permission

For SharePoint Access:

  1. Select SharePoint (not Microsoft Graph)
  2. Choose Delegated permissions
  3. Add: AllSites.Read - Read items in all site collections

For File Downloads:

  1. Click Add a permission again

  2. Select Microsoft Graph

  3. Choose Delegated permissions

  4. Add: Files.Read.All - Read all files that user can access

  5. Click Grant admin consent for both permissions

Configuration

# Enable SharePoint file picker
ENABLE_SHAREPOINT_FILEPICKER=true
 
# Your SharePoint tenant URL
SHAREPOINT_BASE_URL=https://yourtenant.sharepoint.com
 
# SharePoint scope for file picker (replace 'yourtenant' with your actual tenant)
SHAREPOINT_PICKER_SHAREPOINT_SCOPE=https://yourtenant.sharepoint.com/AllSites.Read
 
# Graph API scope for downloading files
SHAREPOINT_PICKER_GRAPH_SCOPE=Files.Read.All

Usage

When properly configured:

  1. Users will see "From SharePoint" option in the file attachment menu
  2. Clicking it opens the native SharePoint file picker
  3. Users can browse and select files from any SharePoint site or OneDrive they have access to
  4. Selected files are downloaded and attached to the conversation

Security Note

The SharePoint integration respects all existing SharePoint permissions. Users can only access files they already have permission to view in SharePoint/OneDrive.

For detailed troubleshooting and advanced configuration, see: SharePoint Integration Guide

How is this guide?

Edit on GitHub

Previous

AWS Cognito

Next

Keycloak

On this page