HowTo: Authenticate to Azure Active Directory using GAM

Official Content

This tutorial explains how to authenticate your users with Azure Active Directory using GAM.

Basically, you need to use OAuth 2.0 Authentication Type and do some configurations on both sides -the Azure portal and the GAM's backend.

Configuration at the Azure portal

1. Define and register an application. See this guide from Microsoft.

2. Get the app's Application Id, since you'll need it later on:


3. Configure a Redirect URI. Go through the Authentication menu option (pane on the left) and create a new Web platform. Then Add a Redirect URI of the form:



4. Go through Certificates and secrets, and create a new secret. You should copy the value of the secret, as it will be needed later.


5. In the Permissions tab, verify that you have added the following (User.Read of Microsoft.graph):


Configuration at GAM Backend

1. Create a new OAuth 2.0 Authentication Type and define the basics: Name, Description, Images (optional), etc.

2. At the General tab, define the following:


The Redirect URL is of the form:


Note 1: For the configuration of the following tabs, you'll need to check the Endpoints of your application in Azure.


3. At the Authorization tab.

Response type TAG:  response_type      Value: code
Scope TAG:          scope              Value:
State TAG:          state
Include ClientID and RedirectURL
Access code TAG: code
Error description TAG: error_description

In the URL, note the specification of the tenant inside the Azure Active Directory.

4. At the Token tab:

Header Content type: Content-type      Value: application/x-www-form-urlencoded
Grant type:         grant_type        Value: authorization_code
Include = All
Access token TAG: access_token
Token type TAG: token_type
Expires in TAG: expires_in
Scope TAG: scope
Error description TAG: error_description
Validate external token = False

5. At the User Information tab:

Method: Get
Header Content type: Content-type      Value: application/json;charset=utf-8
Do not include anything
Email TAG: mail
External ID TAG: id
Name TAG:  userPrincipalName
First name TAG: givenName
Last name TAG: surname
Error description TAG: message

Note 1:
Under "User Information Tab" leave empty all the fields that are not specified in the configuration above.
For example: To solve the Error: "Code":284,"Message":"azuread account is not verified, first verify your azuread account."
Verify if the field "User Verified Email Tag" is empty.

Note 2:
The login to Azure Active Directory may be done entering the user credentials in your application, not in the Azure portal.
This is done by setting "Redirect to authenticate?" to FALSE.

In this case, under the tab "Token" update the field Tag "grant_type" with Value "password" and Additional Parameters with "scope="