BE-477: Add Microsoft/Azure AD OIDC SSO provider

[TimDiekmann]

🌟 What is the purpose of this PR?

Add Microsoft/Azure AD as second OIDC provider, building on the Google SSO foundation from BE-476.

🔗 Related links

• BE-477: Set up Microsoft/Azure AD OIDC SSO (internal)
• Stacked on BE-476: Add Google OIDC SSO support via Ory Kratos #8576 (BE-476: Google OIDC SSO)

🔍 What does this change?

• Add Microsoft OIDC provider config in kratos.yml
• Add Jsonnet claims mapper for Microsoft (handles email, preferred_username, upn)
• Add docker-compose env vars for Microsoft client_id, client_secret, tenant_id

Pre-Merge Checklist 🚀

🚢 Has this modified a publishable library?

This PR:

• does not modify any publishable blocks or libraries, or modifications do not need publishing

📜 Does this require a change to the docs?

The changes in this PR:

• are internal and do not require a docs change

🕸️ Does this require a change to the Turbo Graph?

The changes in this PR:

• do not affect the execution graph

🛡 What tests cover this?

• Manual testing: Microsoft OIDC login flow on local and staging

❓ How to test this?

Tested and verified on staging with Azure AD accounts.

🎥 Demo

[cursor]

PR Summary

Medium Risk
Adds a new OIDC/SSO identity provider and claims-mapping logic in Kratos, which can affect authentication flows when enabled. Change is gated behind existing OIDC enablement but misconfiguration could block SSO sign-in or incorrectly map emails.

Overview
Adds Microsoft/Azure AD as a second Kratos OIDC provider alongside Google, wired into kratos.yml with its own mapper_url, scopes, and tenant/client credentials.

Introduces oidc.microsoft.jsonnet to derive the user email from email/preferred_username/upn claims and set verified_addresses, and updates docker-compose.yml to surface Microsoft client_id, client_secret, and tenant_id env vars (still disabled by default via KRATOS_OIDC_ENABLED).

^{Written by Cursor Bugbot for commit ab68a72. This will update automatically on new commits. Configure here.}

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
hash	Ready	Preview, Comment	Mar 25, 2026 6:31pm

3 Skipped Deployments

Project	Deployment	Actions	Updated (UTC)
hashdotdesign	Ignored	Preview	Mar 25, 2026 6:31pm
hashdotdesign-tokens	Ignored	Preview	Mar 25, 2026 6:31pm
petrinaut	Skipped		Mar 25, 2026 6:31pm

[augmentcode]

🤖 Augment PR Summary

Summary: Adds Microsoft/Azure AD (Entra ID) as a second OIDC SSO provider alongside the existing Google OIDC integration.

Changes:

• Introduces a Microsoft-specific claims mapper (`oidc.microsoft.jsonnet`) to derive the user email from available token claims.
• Registers the Microsoft OIDC provider in Kratos config with the new mapper and requested scopes.
• Extends local dev Docker Compose env wiring for Microsoft `client_id`, `client_secret`, and tenant configuration.

Technical Notes: The mapper prioritizes `email`, then `preferred_username`, then `upn` for populating `traits.emails` and verification state.

_{🤖 Was this summary useful? React with 👍 or 👎}

[augmentcode]

Review completed. 3 suggestions posted.

Comment augment review to trigger a new review at any time.

[cursor]

Cursor Bugbot has reviewed your changes and found 1 potential issue.

^{Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.}

[TimDiekmann]

Warning

This pull request is not mergeable via GitHub because a downstack PR is open. Once all requirements are satisfied, merge this PR as a stack on Graphite.
Learn more

• BE-477: Add Microsoft/Azure AD OIDC SSO provider #8578 👈 (View in Graphite)
• BE-476: Add Google OIDC SSO support via Ory Kratos #8576
• main

This stack of pull requests is managed by Graphite. Learn more about stacking.