# Azure Entra (/docs/configuration/authentication/OAuth2-OIDC/azure)

1. Go to the [Azure Portal](https://portal.azure.com/) and sign in with your account.
2. In the search box, type "Azure Entra" and click on it.
3. On the left menu, click on App registrations and then on New registration.
4. Give your app a name and select Web as the platform type.
5. In the Redirect URI field, enter `http://localhost:3080/oauth/openid/callback` and click on Register.

![image](https://github.com/danny-avila/LibreChat/assets/6623884/2b1aabce-850e-4165-bf76-3c1984f10b6c)

6. You will see an Overview page with some information about your app. Copy the Application (client) ID and the 
Directory (tenant) ID and save them somewhere.

![image](https://github.com/danny-avila/LibreChat/assets/6623884/e67d5e97-e26d-48a5-aa6e-50de4450b1fd)

7. On the left menu, click on Authentication and check the boxes for Access tokens and ID tokens under Implicit 
grant and hybrid flows.

![image](https://github.com/danny-avila/LibreChat/assets/6623884/88a16cbc-ff68-4b3a-ba7b-b380cc3d2366)

8. On the left menu, click on Certificates & Secrets and then on New client secret. Give your secret a 
name and an expiration date and click on Add. You will see a Value column with your secret. Copy it and 
save it somewhere. Don't share it with anyone!

![image](https://github.com/danny-avila/LibreChat/assets/6623884/31aa6cee-5402-4ce0-a950-1b7e147aafc8)

9. If you want to restrict access by groups you should add the groups claim to the token. To do this, go to
Token configuration and click on Add group claim. Select the groups you want to include in the token and click on Add.

![image](https://github.com/danny-avila/LibreChat/assets/6623884/c9d353f5-2cb2-4f00-b4f0-493cfec8fe9a)

10. Open the .env file in your project folder and add the following variables with the values you copied:

```bash filename=".env"
DOMAIN_CLIENT=https://your-domain.com # use http://localhost:3080 if not using a custom domain
DOMAIN_SERVER=https://your-domain.com # use http://localhost:3080 if not using a custom domain

# enable social login or else OpenID button will not appear on login page
ALLOW_SOCIAL_LOGIN=true

OPENID_CLIENT_ID=Your Application (client) ID
OPENID_CLIENT_SECRET=Your client secret
OPENID_ISSUER=https://login.microsoftonline.com/Your Directory (tenant ID)/v2.0/
OPENID_SESSION_SECRET=Any random string
OPENID_SCOPE=openid profile email #DO NOT CHANGE THIS
OPENID_CALLBACK_URL=/oauth/openid/callback # this should be the same for everyone

OPENID_REQUIRED_ROLE_TOKEN_KIND=id

# If you want to restrict access by groups
OPENID_REQUIRED_ROLE_PARAMETER_PATH="roles"
OPENID_REQUIRED_ROLE="Your Group Name" # Single role or comma-separated roles (e.g., Group1,Group2,Admin)

# Optional: redirects the user to the end session endpoint after logging out
OPENID_USE_END_SESSION_ENDPOINT=true 
```
11. Save the .env file

> Note: If using docker, run `docker compose up -d` to apply the .env configuration changes

## Advanced: Token Reuse

LibreChat supports reusing Azure Entra ID tokens for session management, which can provide better integration with your Azure environment. This feature allows LibreChat to use Azure's refresh tokens instead of managing its own session tokens.

To learn more about this feature and how to configure it, see [Re-use OpenID Tokens for Login Session](/docs/configuration/authentication/OAuth2-OIDC/token-reuse).

## Advanced: Microsoft Graph API Integration

When using Azure Entra ID as your OpenID provider, you can enable Microsoft Graph API integration to enhance the permissions and sharing system with people and group search capabilities.

### Prerequisites

1. Your Azure app registration must have the appropriate Microsoft Graph API permissions
2. Admin consent may be required for certain Graph API scopes (like `GroupMember.Read.All`)

### Adding Graph API Permissions

1. In your Azure app registration, go to **API permissions**
2. Click **Add a permission** > **Microsoft Graph** > **Delegated permissions**
3. Add these permissions:
   - `User.Read` - Sign in and read user profile
   - `People.Read` - Read user contacts
   - `GroupMember.Read.All` - Read all group memberships
   - `User.ReadBasic.All` - Read all users' basic profiles
4. Click **Grant admin consent** if required (you'll need admin privileges)

### Configuration

<Callout type="error" title="Required: Enable Token Reuse">
**Important:** You MUST enable OpenID token reuse for this feature to work:
```bash filename=".env"
OPENID_REUSE_TOKENS=true
```
See [Token Reuse Configuration](#advanced-token-reuse) above for details.
</Callout>

Add the following environment variables to your `.env` file:

```bash filename=".env"
# Enable Entra ID people search in permissions/sharing
USE_ENTRA_ID_FOR_PEOPLE_SEARCH=true

# Include group owners as members when searching groups
ENTRA_ID_INCLUDE_OWNERS_AS_MEMBERS=true

# Microsoft Graph API scopes (these are automatically included with the OpenID scopes)
OPENID_GRAPH_SCOPES=User.Read,People.Read,GroupMember.Read.All,User.ReadBasic.All
```

When enabled, the people picker in the permissions and sharing dialogs will:
- Search both local LibreChat users and Azure Entra ID users
- Display user profiles with names and emails from your organization
- Allow searching and selecting Azure Entra ID groups
- Show group members based on your Graph API permissions

### Notes

- **Token reuse (`OPENID_REUSE_TOKENS=true`) is mandatory** for this feature to work
- The `OPENID_GRAPH_SCOPES` are automatically appended to your existing `OPENID_SCOPE` during authentication
- Group search requires the `GroupMember.Read.All` permission, which typically needs admin consent
- User search works with basic `User.Read`, `People.Read`, and `User.ReadBasic.All` permissions

## Advanced: SharePoint Integration

LibreChat can integrate with SharePoint Online and OneDrive for Business, allowing users to browse and attach files directly from their SharePoint libraries.

### Prerequisites

1. All requirements from [Token Reuse](#advanced-token-reuse) must be met
2. Your Azure app registration needs additional SharePoint permissions

### Adding SharePoint Permissions

1. In your Azure app registration, go to **API permissions**
2. Click **Add a permission**

#### For SharePoint Access:
3. Select **SharePoint** (not Microsoft Graph)
4. Choose **Delegated permissions**
5. Add: `AllSites.Read` - Read items in all site collections

#### For File Downloads:
6. Click **Add a permission** again
7. Select **Microsoft Graph**
8. Choose **Delegated permissions**
9. Add: `Files.Read.All` - Read all files that user can access

10. Click **Grant admin consent** for both permissions

### Configuration

```bash filename=".env"
# Enable SharePoint file picker
ENABLE_SHAREPOINT_FILEPICKER=true

# Your SharePoint tenant URL
SHAREPOINT_BASE_URL=https://yourtenant.sharepoint.com

# SharePoint scope for file picker (replace 'yourtenant' with your actual tenant)
SHAREPOINT_PICKER_SHAREPOINT_SCOPE=https://yourtenant.sharepoint.com/AllSites.Read

# Graph API scope for downloading files
SHAREPOINT_PICKER_GRAPH_SCOPE=Files.Read.All
```

### Usage

When properly configured:
1. Users will see "From SharePoint" option in the file attachment menu
2. Clicking it opens the native SharePoint file picker
3. Users can browse and select files from any SharePoint site or OneDrive they have access to
4. Selected files are downloaded and attached to the conversation

<Callout type="warning" title="Security Note">
The SharePoint integration respects all existing SharePoint permissions. Users can only access files they already have permission to view in SharePoint/OneDrive.
</Callout>

For detailed troubleshooting and advanced configuration, see: [SharePoint Integration Guide](/docs/configuration/sharepoint)