OAuth 2 Microsoft service
Setup App In Microsoft
To setup an OAuth 2 client with Microsoft, first we need to login to the Microsoft Application Console and register a new application. Note that the application registrations portal has been deprecated for registering and managing converged applications since May 2019 and this functionality will be removed starting September 2019. We recommend that you manage your existing applications and register new applications by using the App registrations (now Generally Available) experience in the Azure portal.
1. Choose a good name as this is what is shown to users when they are asked to approve the permissions. 2. For supported account types select 'Accounts in any organizational directory (Any Azure AD directory - Multitenant)'. 3. Choose 'Web' for redirect URI and add the callback URL. The callback URL should point to "your Moodle site URL + /admin/oauth2callback.php". If your Moodle site was available at https://lemon.edu/ the callback URL would be https://lemon.edu/admin/oauth2callback.php. It is important that your Moodle site uses https and not http. Microsoft will not allow the callback url if it is not using https.
4. Click 'Register'.
5. Copy the 'Application (client) ID' to a safe place for later use.
6. Select 'Authentication' from side-bar menu.
7. Ensure implicit grant flow is disabled.
8. Select 'API permissions' from side-bar menu.
9. Make sure the "Microsoft Graph (1)" permissions section contains the "User.Read" permission.
10. Select 'Certificates & secrets' from side-bar menu.
11. Click 'New client secret' to create password/client secret.
12. Add a description and select when the password/secret will expire.
13. Copy the secret string value to a safe place for later use.
14. In Moodle go to OAuth2 services (Site administration > Server > OAuth2 services) and create a new Microsoft service.
15. Update the name if desired and enter the password/secret as the "Client secret" and the Application ID as the "Client ID".
16. Make any additional configuration changes such as limiting login domains, whether a login button will show on the login page, and if email verification is required.