AzureAD no longer accepts tenantId

[tomitrescak]

Provider type

Azure Active Directory

Environment

  System:
    OS: macOS 15.2
    CPU: (10) arm64 Apple M1 Max
    Memory: 246.92 MB / 32.00 GB
    Shell: 5.9 - /bin/zsh
  Binaries:
    Node: 22.6.0 - /opt/homebrew/bin/node
    Yarn: 1.22.19 - /usr/local/bin/yarn
    npm: 10.5.2 - /opt/homebrew/bin/npm
    pnpm: 9.4.0 - /opt/homebrew/bin/pnpm
    bun: 1.0.0 - ~/.bun/bin/bun
  Browsers:
    Edge: 131.0.2903.147
    Safari: 18.2
  npmPackages:
    next: ^15.1.4 => 15.1.4 
    next-auth: 5.0.0-beta.25 => 5.0.0-beta.25 
    react: ^19.0.0 => 19.0.0 

Reproduction URL

https://github.com/tomitrescak/next-auth-azure-ad-error

Describe the issue

It looks like both Azure Entra and Zure AD provider no longer accept tenant ID

This is my config

import AzureADProvider from "next-auth/providers/microsoft-entra-id";

AzureADProvider({
      name: "Organisation - Staff",
      id: "staff",
      clientId: env.STAFF_AZURE_CLIENT_ID,
      clientSecret: env.STAFF_AZURE_CLIENT_SECRET,
      tenantId: env.STAFF_AZURE_TENANT_ID, // <=== WILL BE ERROR
    }),

Consequently, it seems that the tenant ID is being sent to azure as "common", and not rerquired STAFF_AZURE_TENANT_ID.

This leads to the following error coming from Azure:

Application '{appId}'({appName}) is not configured as a multi-tenant application. Usage of the /common endpoint is not supported for such applications created after '{time}'. Use a tenant-specific endpoint or configure the application to be multi-tenant.

How to reproduce

Add the AzureADProvider with the backend not supporting Multi-Tenancy applications and requiring tenantId

You can fix this by downgrading to next-auth 5.0.0-beta.22

Expected behavior

The "tenantId" should exist and be supported as per documentation at:

https://authjs.dev/getting-started/providers/azure-ad

[tomitrescak]

FYI, the last version that is supporting tenantId is next-auth 5.0.0-beta.22

[benhovinga]

Hi @tomitrescak you seem to be importing the wrong auth provider module.

You have

import AzureADProvider from "next-auth/providers/microsoft-entra-id";

Give this a try

import AzureADProvider from "next-auth/providers/azure-ad"

The module next-auth/providers/microsoft-entra-id doesn't use a tenant id and instead uses an issuer.

You can find the documentation for the new Microsoft Entra ID here: https://authjs.dev/getting-started/providers/microsoft-entra-id

The documentation is incomplete and doesn't explain what the issuer variable should be. You can see issue #12314 for help configuring the issuer variable.

[tomitrescak]

@benghovina, thank you for you reply but I'm afraid it does not work.

The ADProvider does not have tenant in beta.25 (see below). It also seem to be obsolete.
The issuer on Entra does work, but it does not push through the azure authentication.

[benhovinga]

Ok sorry, I see the issue and you are correct. The azure-ad provider was stripped of it's original functionality and is now just a wrapper for the microsoft-entra-id provider. This is very odd since azure-ad is considered deprecated it should have been left in it's original condition.

[tomitrescak]

@benhovinga This is quite a problem for all legacy authentication systems using AD. I'm sure my organisation will not switch to Entra in the foreseeable future :(

When I tried just swapping to Entra and used tenantId as an issuer, I received a "Configuration Error" from the backend. So swapping one provider for another does not work :(

[benhovinga]

@tomitrescak The issuer parameter is not the same as tenantId. The issuer parameter is supposed to be a URL, it will take the tenantId as part of the URL.

Here is an example of what my config looks like.

/** auth.ts */

import NextAuth from 'next-auth';
import MicrosoftEntraID from 'next-auth/providers/microsoft-entra-id';

export const { handlers, auth, signIn, signOut } = NextAuth({
  providers: [
    MicrosoftEntraID({
      clientId: process.env.AUTH_MICROSOFT_ENTRA_ID_ID || '',
      clientSecret: process.env.AUTH_MICROSOFT_ENTRA_ID_SECRET || '',
      issuer: `https://login.microsoftonline.com/${process.env.AUTH_MICROSOFT_ENTRA_ID_TENANT || 'common'}/v2.0`,
      authorization: {
        params: {
          scope: 'openid profile email User.Read',
          prompt: 'select_account'
        }
      }
    })
  ]
});

The docs don't explain this very well, but that's what you get with beta software 😅. I had to learn this from issue #12314.

[tomitrescak]

@benhovinga you are a life saver! That worked! ... I could close the issue as MY problem has been solved but I probably leave it open until I submit a PR to fix the docs.