Skip to main content
This guide walks you through registering a Microsoft Entra ID application and configuring ngrok to use it for user authentication. The steps below follow Microsoft’s app registration documentation in the Azure portal.

What you’ll need

  • An Azure account and a tenant (or create a tenant).
  • Your ngrok authtoken and an endpoint with the OAuth action in its Traffic Policy.

Register an application

  1. Sign in to the Azure portal and select or create a tenant for your application.
  2. Search for Microsoft Entra ID and select it.
  3. In the left-hand navigation, select App registrations.
  4. Select New registration at the top.
  5. Enter a name for your application.
  6. ngrok does not support single-tenant applications. Choose one of these supported account types:
    • Accounts in any organizational directory (Any Microsoft Entra directory - Multitenant)
    • Accounts in any organizational directory and personal Microsoft accounts (for example, Skype, Xbox)
  7. Under redirect URI, choose Web and enter https://idp.ngrok.com/oauth2/callback.
  8. Click Register.

Configure your application

  1. With your application open, select Overview in the left-hand navigation.
  2. In the top information section, note the Application (client) ID for later.
  3. Select API permissions in the left-hand navigation.
  4. Add any additional scopes your application requires and note them for later.
    • Scopes that require application review by Microsoft are unsupported.
    • Scopes that require admin consent prevent tenants’ users from authorizing until consent is granted.
  5. Ensure User.Read or a more permissive scope (for example, User.Read.All) is configured for ngrok.
  6. Select Certificates & secrets in the left-hand navigation.
  7. Select New client secret at the bottom, name the secret, set an expiration, and click Add.
  8. Creation is asynchronous. When the secret appears, copy the Value and store it securely (the value is shown only once).

Update your ngrok endpoint Traffic Policy

  1. Access the ngrok Dashboard Endpoints page and locate an existing endpoint you’d like to add this to or create a new one.
  2. In your traffic policy, add the following configuration:
You may add any scopes that are required by your application with the following caveats.
on_http_request:
  - actions:
      - type: oauth
        config:
          provider: microsoft
          client_id: '{your app''s oauth client id}'
          client_secret: '{your app''s oauth client secret}'
          scopes:
            - openid
            - email
            - profile
Click Save to validate and update your traffic policy.

Configure access control

Optionally, configure access control to your service by only allowing specific users or domains. 
on_http_request:
  - expressions:
      - '!(actions.ngrok.oauth.identity.email in [''me@example.com''])'
    actions:
      - type: deny

Further resources