Setting up oAuth for Microsoft

Quick Start Guide: OAuth2 Plugin for Moodle 4 with Microsoft Active Directory (AD)

This guide will walk you through the steps to configure OAuth2 authentication using Microsoft Active Directory (AD) in Moodle 4. This will allow users to log in to Moodle using their Microsoft accounts via Azure AD.

Step 1: Set Up Microsoft Azure AD Application

Before you configure OAuth2 in Moodle, you need to create an application in Microsoft Azure AD.
1. Log into Azure Portal:
   - Visit [https://portal.azure.com/](https://portal.azure.com/) and log in using your admin credentials.
2. Register a New Application:
   - Navigate to Azure Active Directory in the left sidebar.
   - Go to App Registrations and click on New Registration.
   - Fill in the required fields:
     - Name: Enter a name (e.g., "Moodle OAuth2").
     - Supported Account Types: Choose the appropriate option based on your needs (e.g., "Accounts in this organizational directory only").
     - Redirect URI: In the dropdown, select `Web` and enter the following URL:  
       `https://yourmoodlesite.com/admin/oauth2callback.php`
     - Click Register.
3. Configure API Permissions:
   - Once the app is registered, navigate to API Permissions under the app.
   - Click Add a permission > Microsoft Graph.
   - Under Delegated permissions, search and select the following permissions:
     - `email`
     - `offline_access`
     - `openid`
     - `profile`
     - `User.Read`
   - Click Add Permissions.
   - Optionally, click on Grant admin consent for your organization if required.
4. Generate Client Secret:
   - Go to Certificates & Secrets in your app settings.
   - Under Client Secrets, click New client secret.
   - Enter a description and expiration period.
   - Click Add and note the generated Client Secret (copy it as you will need it for Moodle configuration).
5. Copy Application (Client) ID and Directory (Tenant) ID:
   - In the Overview tab of your registered app, copy both Application (Client) ID and Directory (Tenant) ID.

Step 2: Configure OAuth2 in Moodle

Once the Azure AD application is ready, configure OAuth2 in Moodle.
1. Log into Moodle as Admin:
   - Log into your Moodle site using an admin account.
2. Navigate to OAuth2 Services:
   - Go to Site administration > Server > OAuth 2 services.
3. Add a New OAuth2 Service:
   - Click Create a new service 'Microsoft'.
   - Enter the following details:

     - Name: (e.g., "Microsoft OAuth2")
     - Client ID: Paste the Application (Client) ID from Azure AD.
     - Client Secret: Paste the Client Secret generated earlier.
     - Authorization Endpoint:  
       `https://login.microsoftonline.com/{Tenant_ID}/oauth2/v2.0/authorize`
     - Token Endpoint:  
       `https://login.microsoftonline.com/{Tenant_ID}/oauth2/v2.0/token`
     - User Info Endpoint:  
       `https://graph.microsoft.com/oidc/userinfo`
     - Scopes:  
       `openid profile email User.Read`
     -  Token Handling: Select the appropriate token handling for your environment (e.g., `Authorization header`).
4. Set Redirect URI:
   - In the Redirect URIs section, ensure that the redirect URI matches the one you entered in Azure:  
     `https://yourmoodlesite.com/admin/oauth2callback.php`.
5. Save Changes:
   - Click Save changes to save the OAuth2 service configuration.

Step 3: Enable Microsoft OAuth2 Authentication for Moodle Users

1. Enable OAuth2 Authentication Plugin:
   - Go to Site administration > Plugins > Authentication > Manage authentication.
   - Enable OAuth2 by clicking the eye icon next to it.
2. Link the OAuth2 Service to an Authentication Method:
   - Go to Site administration > Server > OAuth 2 services.
   - Find the OAuth2 service you created (e.g., "Microsoft OAuth2") and click Connect next to it.
3. Set Default Identity Provider:
   - If you want to make Microsoft AD the default login option for your users, go t o Site administration > Plugins > Authentication > OAuth 2 settings.
   - Set the Default Identity Provider to your Microsoft AD OAuth2 service.
4. Test the Configuration:
   - Log out of Moodle and try logging in using the Microsoft OAuth2 option.
   - You should be redirected to the Microsoft login page. After logging in, you will be redirected back to Moodle and logged in.

Step 4: Configure Auto-Creation and Sync of Users (Optional)

1. Auto-Creation of Users:
   - Go to Site administration > Plugins> Authentication> OAuth 2.
   - Enable Automatically create accounts so that when users log in via Microsoft AD for the first time, an account is automatically created in Moodle.
2. Sync with Azure AD (Optional):
   - Moodle allows the option to synchronize users and groups from Azure AD, but this requires additional plugins or scripts to be set up. Check Moodle’s documentation for advanced user sync options if required.
---

Troubleshooting Tips:

- Invalid Redirect URI: Ensure the redirect URI in Azure AD and Moodle matches exactly (case-sensitive).
- Token Expiration Issues: Check the expiry settings of the client secret and permissions granted.
- OAuth2 Plugin Not Working: Double-check API permissions, URLs, and that the OAuth2 plugin is enabled.

Resources:

Did this answer your question? Thanks for the feedback There was a problem submitting your feedback. Please try again later.

Still need help? Contact Us Contact Us