← All articles
Authentication
Secure Azure AD Authentication for Drupal
Implement single-sign-on with Office 365 accounts using OAuth 2.0 flows, JWT tokens, and Drupal's user system with Azure AD integration.
Published January 10, 2024
drupalazure-adauthenticationoauth2ssooffice365security
Overview
Azure AD Authentication for Drupal provides a secure, enterprise-grade single sign-on solution that leverages Microsoft’s identity platform. This integration eliminates the need for separate credentials while maintaining robust security through OAuth 2.0 and JWT tokens.
Features
- Single Sign-On (SSO) with Office 365 accounts
- OAuth 2.0 and OpenID Connect support
- JWT token validation and refresh
- Role mapping from Azure AD groups to Drupal roles
- Multi-factor authentication (MFA) support
- Automatic user provisioning and deprovisioning
- Session management and token lifecycle handling
- Seamless integration with existing Drupal authentication
Technical Details
Technologies: Azure Active Directory, OAuth 2.0, OpenID Connect, JWT, Drupal 9/10, Microsoft Graph API
Requirements:
- Drupal 9.x or 10.x installation
- Azure AD tenant with admin access
- Azure App Registration
- SSL/TLS certificate (required for production)
- Drupal OpenID Connect module or custom module
API Endpoints:
Authorization endpoint: https://login.microsoftonline.com/{tenant}/oauth2/v2.0/authorize
Token endpoint: https://login.microsoftonline.com/{tenant}/oauth2/v2.0/token
UserInfo endpoint: https://graph.microsoft.com/v1.0/me
Implementation
- Register application in Azure Portal and configure redirect URIs
- Install and configure OpenID Connect module in Drupal
- Configure OAuth 2.0 client credentials (Client ID and Secret)
- Set up Azure AD group to Drupal role mapping
- Configure token validation and JWT handling
- Implement user provisioning hooks
- Test authentication flow with test users
- Configure MFA requirements and conditional access policies
- Set up monitoring and logging for authentication events
<?php
// Example: Custom event subscriber for user provisioning
namespace Drupal\azure_auth\EventSubscriber;
use Drupal\openid_connect\Event\OpenIDConnectEvents;
use Drupal\openid_connect\Event\UserInfoEvent;
use Symfony\Component\EventDispatcher\EventSubscriberInterface;
class AzureUserProvisionSubscriber implements EventSubscriberInterface {
public static function getSubscribedEvents() {
return [
OpenIDConnectEvents::USERINFO => 'onUserInfo',
];
}
public function onUserInfo(UserInfoEvent $event) {
$userinfo = $event->getUserInfo();
$account = $event->getAccount();
// Map Azure AD roles to Drupal roles
if (isset($userinfo['roles'])) {
$role_mapping = [
'Admin' => 'administrator',
'Editor' => 'content_editor',
'Viewer' => 'authenticated',
];
foreach ($userinfo['roles'] as $azure_role) {
if (isset($role_mapping[$azure_role])) {
$account->addRole($role_mapping[$azure_role]);
}
}
$account->save();
}
}
}
Use Cases
- Enterprise intranet portals requiring Office 365 SSO
- Multi-site Drupal installations with centralized authentication
- Healthcare and financial services with strict compliance requirements
- Organizations migrating from on-premise to cloud identity
- Customer portals for Office 365 using organizations
Benefits
- Enhanced security with Microsoft’s enterprise-grade authentication
- Reduced password fatigue and support tickets
- Centralized user management through Azure AD
- Support for advanced security features like MFA and conditional access
- Seamless user experience across Microsoft and Drupal platforms
- Automated user lifecycle management
- Compliance with enterprise security policies