Skip to main content

Umbraco Back-office Authentication With Azure Active Directory

There's a fair bit of information a Google search away about configuring Umbraco back-office authentation with providers such as Azure Active Directory, but things change, information gets outdated or doesn't quite apply - so mostly as a note to self, but maybe useful if anyone comes across it, here's a few notes and links I've used in setting this up at the end of 2020 and Umbraco 8.8.

First step was to follow the instructions in Shannon's blog post found here, to create an application registration in Azure AD and install the necessary NuGet packages into the Umbraco website project.

Having done this, and signed in as normal using the default administrator account, there's an option to link the account with Azure AD.

First time I tried that, I got the error: Error: "OpenIdConnectMessage.Error was not null, indicating an error. Error: 'unsupported_response_type'. Error_Description (may be empty): 'AADSTS700054: response_type 'id_token' is not enabled for the application."

This was fixed by this suggestion, amending the authentication settings in the Azure portal.

With that in place linking the AD account worked and I could then log in using it.

The next step was to set up auto-linking, so it wasn't necessary to create accounts in the back-office first.

Having added the UmbracoCms.IdentityExtensions.AzureActiveDirectory package, there's a class added in App_Start\UmbracoADAuthExtensions where the following code should be added:

    var autoLinkOptions = new ExternalSignInAutoLinkOptions(
        autoLinkExternalAccount: true,
        defaultUserGroups: new[] { "editor" },
        defaultCulture: "en-US")
        OnAutoLinking = (BackOfficeIdentityUser user, ExternalLoginInfo info) =>
            // this callback will execute when the user is being auto-linked but before it is created
            // so you can modify the user before it's persisted

With a new test user created on Azure AD, I then ran into this error: The requested provider ( has not provided an email address, the account cannot be linked.

This was solved thanks to the suggestion here, adding the following code to the same file:

    adOptions.Notifications = new OpenIdConnectAuthenticationNotifications()
        SecurityTokenValidated = async n =>
            var id = n.AuthenticationTicket.Identity;

            var nid = new ClaimsIdentity(

            nid.AddClaim(new Claim(ClaimTypes.Email, id.Name));

            n.AuthenticationTicket = new AuthenticationTicket(nid, n.AuthenticationTicket.Properties);

One last point - I found the user created in Azure AD needs to have a first and last name provided, or the above code would trip up on looking for the GivenName claim type. Of course likely a null check could be put in here.