Sign in to Odoo with Microsoft Azure / Entra ID
A ready-to-use Microsoft single sign-on for Odoo. The Azure OAuth provider is pre-configured â just enter your Client ID and tenant in Settings and enable it. It also fixes the two classic Odoo + Azure login failures automatically, so users click Sign in with Microsoft and they're in.
Microsoft login that just works â no OAuth debugging
Wiring Azure SSO into Odoo by hand means fighting cryptic errors: users who can't be matched and a missing e-mail claim. This module ships the provider ready to go and handles both for you â so your team logs in with the Microsoft 365 accounts they already have.
Pre-configured provider
The Microsoft Azure OAuth provider is created on install â endpoints, scope and sign-in button already set. Add your Client ID and tenant, enable it, done.
Matches users by e-mail
Existing Odoo users are matched by their Azure e-mail / UPN against their login or e-mail â no per-user "reset password" linking step, and it survives database copies.
Robust e-mail resolution
When Azure omits the email claim, the address is read from upn / preferred_username / unique_name â and decoded from the token when needed.
A complete, production-grade Azure SSO
Fixes oauth_error=3
The classic "no matching user" failure is solved: sign-in matches accounts by e-mail (case-insensitive) instead of the provider's numeric subject id.
Handles the missing e-mail claim
Azure's userinfo endpoint often drops email. The address is pulled from alternate claims and, if needed, decoded from the access-token JWT payload.
Zero manual system params
Sets auth_oauth.authorization_header for you on install, so Microsoft Graph's /oidc/userinfo receives the Bearer token it requires.
One-click sign-in button
A Sign in with Microsoft Azure button appears on the Odoo login screen, styled with the Microsoft icon and ready the moment you enable the provider.
Survives environment copies
Because linking is by e-mail rather than a stored subject id, restoring a database or moving to a new environment doesn't break existing users' Microsoft login.
Works with your existing users
No public signup required. Pre-provisioned Odoo users log in through Azure with their Microsoft 365 identity â no per-user OAuth configuration.
From install to Microsoft sign-in in four steps
Install the module
The Microsoft Azure OAuth provider is created automatically, disabled and ready to configure â no XML or manual provider setup.
Register an Azure app
In the Azure portal, register an application and note its Client ID and Directory / tenant ID. Scopes needed: openid profile email.
Enter credentials & enable
Open Settings â Microsoft Azure, paste the Client ID and tenant, and enable the provider. Copy the redirect URI shown there.
Users log in
Register that redirect URI in your Azure app, and the Sign in with Microsoft button on the login page takes it from there.
Reads the e-mail from wherever Azure puts it
Azure spreads the user's address across different claims depending on the token version and endpoint. The module checks all of them, then falls back to decoding the token â so sign-in never fails just because email is absent.
Claims it inspects
The first claim containing an @ wins â checked in the userinfo response, then in the JWT.
What it prevents
no email claim → read from upn / JWT
The two failures that stop most Odoo + Azure setups â handled automatically.
Built for real logins
Not a bare provider record â a hardened sign-in flow with the fixes production Odoo instances actually need.
Requirements
A quick checklist to have Microsoft sign-in live.
- Odoo 18.0 (Community or Enterprise).
- The standard auth_oauth module (a dependency, installed for you).
- A Microsoft 365 / Entra ID tenant.
- An Azure app registration with its Client ID and tenant ID, and the openid profile email scopes.
- The Odoo redirect URI (shown in Settings) registered on that Azure app.
Frequently asked questions
Do I have to configure the OAuth provider by hand?
No. The Microsoft Azure provider is created automatically on install with the correct endpoints, scope and sign-in button. You only enter your Client ID and tenant in Settings and enable it.
Why did my Azure login fail with oauth_error=3 before?
That error means Odoo couldn't find a user matching the provider's subject id. This module matches users by their Azure e-mail / UPN against their Odoo login or e-mail instead, so existing users sign in without any per-user linking step.
Azure isn't returning an email claim â is that a problem?
No. Azure often exposes the address as upn, preferred_username or unique_name instead. The module reads the e-mail from any of these and, if necessary, decodes it from the access-token JWT payload.
Will existing users keep working after a database copy?
Yes. Because matching is by e-mail rather than a stored numeric id, restoring or duplicating the database doesn't break Microsoft login for your users.
Do users need public signup enabled?
No. Pre-provisioned Odoo users log in through Azure with their Microsoft 365 identity â no public signup and no per-user OAuth setup required.
Does it set the required system parameter?
Yes. On install it sets auth_oauth.authorization_header so Microsoft Graph's /oidc/userinfo endpoint receives the Bearer token it needs â one less thing to remember.
Microsoft Azure Login (SSO) for Odoo 18
Developed by Codevia
Microsoft, Azure, Entra ID and Microsoft 365 are trademarks of the Microsoft group of companies. This module is an independent integration and is not affiliated with or endorsed by Microsoft.
Please log in to comment on this module