Microsoft SSO Provider

This section explains how to configure Microsoft as an SSO provider in Localtonet using Azure Active Directory (Microsoft Entra ID).

Microsoft SSO is ideal for organizations that manage users through Microsoft 365, Azure AD, or Entra ID.

Step 1: Create an App Registration in Azure Portal

Before adding Microsoft as an SSO provider in Localtonet, you need to register an application in Azure.

  1. Go to Azure Portal

  2. Navigate to: Microsoft Entra ID → App registrations

  3. Click New registration.

  4. Fill in the application details:

    • Name
      Any descriptive name (e.g. Localtonet Tunnel SSO)

    • Supported account types
      Choose one:

      • Accounts in this organizational directory only (single tenant)

      • Accounts in any organizational directory (multi-tenant – recommended)

    • Redirect URI

      • Platform: Web

      • URL:

        http://auth.localtonet.com/auth/callback

  5. Click Register.

Step 2: Create a Client Secret

  1. Open the newly created app registration.

  2. Navigate to: Certificates & secrets → Client secrets

  3. Click New client secret.

  4. Set an expiration period and click Add.

  5. Copy the Client Secret value immediately (it will not be shown again).

Step 3: Copy Required Application Values

From the app registration overview page, copy:

  • Application (client) ID

  • Directory (tenant) ID (optional, required only for single-tenant setups)

You will use these values in Localtonet.

Step 4: Add Microsoft Provider in Localtonet

  1. Open the SSO Providers section in your Localtonet account.

  2. Click Add Provider.

  3. Fill in the provider details:

    • Provider Name
      Any descriptive name (e.g. Microsoft, Azure AD Login)

    • Provider Type
      Select Microsoft

    • Client ID
      Paste the Application (client) ID

    • Client Secret
      Paste the Client Secret

  4. The following endpoints are pre-filled automatically and should not be changed unless required:

    • Authorization Endpoint

      https://login.microsoftonline.com/common/oauth2/v2.0/authorize

    • Token Endpoint

      https://login.microsoftonline.com/common/oauth2/v2.0/token

    • UserInfo Endpoint

      https://graph.microsoft.com/oidc/userinfo

    • Callback Path

      /auth/callback/microsoft

If you want to restrict authentication to a single tenant, replace common with your Tenant ID in both endpoints.

  1. (Optional) Configure Allowed Email Domains

    • Example: company.com

    • Only users with matching domains will be allowed access

  2. Toggle Active to enable the provider.

  3. Click Save.

Step 5: Enable Microsoft SSO for an HTTP Tunnel

  1. Open the HTTP Tunnel Settings for the target tunnel.

  2. Navigate to SSO Providers → Manage.

  3. Enable SSO for this tunnel.

  4. Toggle Microsoft to activate it.

  5. Configure optional tunnel-level settings:

    • SSO Path(s) – paths that require authentication

    • Logout Path – logout endpoint

    • Allowed Domains / Emails / Usernames – additional access restrictions

  6. Click Save Changes.

What Happens Next?

When a user accesses the tunnel URL:

  1. The request is intercepted by the Localtonet authentication layer.

  2. The user is redirected to Microsoft for authentication.

  3. After successful login, the user is redirected back to the tunnel.

  4. Access is granted only if provider and tunnel rules are satisfied.

Your application does not need to implement authentication logic.

Notes & Best Practices

  • Microsoft SSO uses OpenID Connect (OIDC)

  • Use single-tenant mode for internal corporate tools

  • Apply email domain restrictions for tighter access control

  • Rotate client secrets before expiration

  • Microsoft SSO can be enabled alongside other providers