Table of contents

Official Content

This tutorial explains how to authenticate your users with Microsoft Entra ID using GAM.

Basically, you need to use OAuth 2.0 Authentication Type and do some configurations on both sides—the Azure portal and the GAM's backend.

Configuration at the Microsoft Entra admin center

1. Define and register an application. See this guide from Microsoft.

2. Get the app's Application Id, since you'll need it later on:


3. Configure a Redirect URI. Go through the Authentication menu option (Panel on the left) and create a new Web platform. Then Add a Redirect URI of the form:



4. Go through Certificates and secrets, and create a new secret. You should copy the value of the secret, as it will be needed later.


5. In the Permissions tab, verify that you have added the following (User.Read of Microsoft.graph):


Configuration at GAM Backend

There are two possible configuration options:

1. Create a new OAuth 2.0 Authentication Type and define the basics: Name, Description, Images (optional), etc.

2. In the General tab, define the following:

Add general tab Oauth -gam v18

The Redirect URL is of the form:


Note: For the configuration of the following tabs, you'll need to check the Endpoints of your application in Microsoft Entra ID.


3. In the Authorization tab:

Response type TAG:  response_type      Value: code
Scope TAG:          scope              Value:
State TAG:          state
Include ClientID and RedirectURL
Access code TAG: code
Error description TAG: error_description

In the URL, note the specification of the tenant inside the Microsoft Entra ID.

4. In the Token tab:

Header Content type: Content-type      Value: application/x-www-form-urlencoded
Grant type:         grant_type        Value: authorization_code
Include = All
Access token TAG: access_token
Token type TAG: token_type
Expires in TAG: expires_in
Scope TAG: scope
Error description TAG: error_description
Validate external token = False

5. In the User Information tab:

Method: Get
Header Content type: Content-type      Value: application/json;charset=utf-8
Do not include anything
Email TAG: mail
External ID TAG: id
Name TAG:  userPrincipalName
First name TAG: givenName
Last name TAG: surname
Error description TAG: message


  • Under "User Information Tab", leave all the fields that are not specified in the configuration above empty.
    For example: To solve the Error: "Code":284,"Message":"azuread account is not verified, first verify your azuread account".
    Verify if the field "User Verified Email Tag" is empty.


  • The login to Microsoft Entra may be done by entering the user credentials in your application, not in the ME-ID portal.
    This is done by setting "Redirect to authenticate?" to FALSE.
    In case of error GAM 280 AADSTS900144: The request body must contain the following parameter: 'scope'. Please refer to SAC 51934.

Token tab-Oauth-gam v18

Last update: November 2023 | © GeneXus. All rights reserved. GeneXus Powered by Globant