← All articles

Authentication

Secure Azure AD Authentication for Drupal

Implement single-sign-on with Office 365 accounts using OAuth 2.0 flows, JWT tokens, and Drupal's user system with Azure AD integration.

Published January 10, 2024
drupalazure-adauthenticationoauth2ssooffice365security

Overview

Azure AD Authentication for Drupal provides a secure, enterprise-grade single sign-on solution that leverages Microsoft’s identity platform. This integration eliminates the need for separate credentials while maintaining robust security through OAuth 2.0 and JWT tokens.

Features

  • Single Sign-On (SSO) with Office 365 accounts
  • OAuth 2.0 and OpenID Connect support
  • JWT token validation and refresh
  • Role mapping from Azure AD groups to Drupal roles
  • Multi-factor authentication (MFA) support
  • Automatic user provisioning and deprovisioning
  • Session management and token lifecycle handling
  • Seamless integration with existing Drupal authentication

Technical Details

Technologies: Azure Active Directory, OAuth 2.0, OpenID Connect, JWT, Drupal 9/10, Microsoft Graph API

Requirements:

  • Drupal 9.x or 10.x installation
  • Azure AD tenant with admin access
  • Azure App Registration
  • SSL/TLS certificate (required for production)
  • Drupal OpenID Connect module or custom module

API Endpoints:

Authorization endpoint: https://login.microsoftonline.com/{tenant}/oauth2/v2.0/authorize
Token endpoint: https://login.microsoftonline.com/{tenant}/oauth2/v2.0/token
UserInfo endpoint: https://graph.microsoft.com/v1.0/me

Implementation

  1. Register application in Azure Portal and configure redirect URIs
  2. Install and configure OpenID Connect module in Drupal
  3. Configure OAuth 2.0 client credentials (Client ID and Secret)
  4. Set up Azure AD group to Drupal role mapping
  5. Configure token validation and JWT handling
  6. Implement user provisioning hooks
  7. Test authentication flow with test users
  8. Configure MFA requirements and conditional access policies
  9. Set up monitoring and logging for authentication events
<?php
// Example: Custom event subscriber for user provisioning
namespace Drupal\azure_auth\EventSubscriber;

use Drupal\openid_connect\Event\OpenIDConnectEvents;
use Drupal\openid_connect\Event\UserInfoEvent;
use Symfony\Component\EventDispatcher\EventSubscriberInterface;

class AzureUserProvisionSubscriber implements EventSubscriberInterface {
  
  public static function getSubscribedEvents() {
    return [
      OpenIDConnectEvents::USERINFO => 'onUserInfo',
    ];
  }
  
  public function onUserInfo(UserInfoEvent $event) {
    $userinfo = $event->getUserInfo();
    $account = $event->getAccount();
    
    // Map Azure AD roles to Drupal roles
    if (isset($userinfo['roles'])) {
      $role_mapping = [
        'Admin' => 'administrator',
        'Editor' => 'content_editor',
        'Viewer' => 'authenticated',
      ];
      
      foreach ($userinfo['roles'] as $azure_role) {
        if (isset($role_mapping[$azure_role])) {
          $account->addRole($role_mapping[$azure_role]);
        }
      }
      $account->save();
    }
  }
}

Use Cases

  • Enterprise intranet portals requiring Office 365 SSO
  • Multi-site Drupal installations with centralized authentication
  • Healthcare and financial services with strict compliance requirements
  • Organizations migrating from on-premise to cloud identity
  • Customer portals for Office 365 using organizations

Benefits

  • Enhanced security with Microsoft’s enterprise-grade authentication
  • Reduced password fatigue and support tickets
  • Centralized user management through Azure AD
  • Support for advanced security features like MFA and conditional access
  • Seamless user experience across Microsoft and Drupal platforms
  • Automated user lifecycle management
  • Compliance with enterprise security policies