Skip to main content
Starting Soon
Increase Profitability and Learner Automation via Canvas Catalog
Starts at Nov 20, 2025 12:30 PM US/Pacific
Learn More
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Configuring Microsoft OAuth for Canvas Authentication

Configuring Microsoft OAuth for Canvas Authentication

Overview

This article describes the process of configuring Microsoft’s OAuth protocol as an Identity Provider (IdP) ready to work with Canvas. 

CanvasDocTeam_0-1718308480416.png

 

 

Authentication Terminology

Term

Definition

Entra ID

Microsoft Entra ID is a cloud-based identity and access management service used to access external resources. Example resources include Microsoft 365, the Azure portal, and thousands of other SaaS applications.

IdP

Identity Provider

The job of the IdP is to identify users based on credentials. The IdP typically provides the login screen interface and presents information about the authenticated user to service providers after successful authentication.

Microsoft is the Identity Provider.

login_id

Username in Canvas terminology.

When information about an authenticated user is returned to Canvas, a user with a login_id matching the incoming data is looked for.

SAML

Security Assertion Markup Language

SIS

Student Information System

SIS ID

Unique ID of a user in Canvas.

Used to link a user to an outside system, often a Student Information System (SIS).

SLO

Single Logout

When a user logs out of a service, some IdPs can subsequently log the user out of all other services the user has authenticated to. 

Users will be logged out of Canvas but will not be logged out of Microsoft.

SSO

Single Sign-On

This is what happens when a user isn't required to log in to a second service because information about the authenticated user is passed to the service.

Tenant

A tenant within Microsoft represents your organization and helps you to manage a specific instance of Microsoft Cloud services for your internal and external users.

 

Pre-requisites

  • Your organization must be using Microsoft Entra ID.

  • You likely will need to be able to log in to the Microsoft Entra ID admin console for your organization.

  • Unless you plan on using the Just in Time Provisioning feature, users must be created ahead of time with a login_id and an authentication_provider_id of “microsoft” (or the explicit id numeric value of the auth provider) before they will be able to login using the Microsoft Authentication method. See SIS Import Files documentation for more information

  • The login_id field in Canvas must match the selected “Login Attribute” claim returned from a successful Microsoft login response.

 

Login Release Valve

You may lock yourself out of Canvas while you are working on setting up authentication. If this happens, there is a way to log in to Canvas using local authentication.  Simply go to /login/canvas. For instance: https://<YOURDOMAIN>.instructure.com/login/canvas (This forces Canvas to display the local login page rather than redirecting to the SAML login page).

 

Configure Microsoft OAuth

  1. In Canvas, select Microsoft OAuth authentication by going to the Root Account of your Canvas Instance, selecting the Authentication tab on the left nav, and select Microsoft from the “Add an identity provider to this account” drop-down menu on the right.   

CanvasDocTeam_1-1718308480206.png

 

Set Tenants

Canvas requires at least 1 Entra ID tenant id to be populated to establish OAuth connection. How to find your Microsoft Entra tenant ID.

  1. Enter at least one Entra ID tenant ID in the Tenants field.
    • If only a single tenant is populated, the login will direct users to login to the tenant-branded Microsoft login page. Users who are not a part of that tenant will return “User not found.”
CanvasDocTeam_2-1718308480280.png

 

  1. To allow both institutional tenant and personal microsoft accounts, list both your tenant id and “microsoft” in the Tenants field, separated by commas. 
    • This will take users to the “common” microsoft login method that will allow for account discovery. 
    • If you have many institutional Entra ID tenants, they may all be listed with commas between them. 

CanvasDocTeam_3-1718308480321.png

NOTE: All incoming logins from Microsoft will return a tenant id (tid) in the login claim. For security reasons, the value of the incoming tid claim must match one of the configured tenant ids for a user to successfully login (even if the login attribute matches an existing user).

 

Set Login Attributes

All login attributes from Entra ID logins are potentially modifiable, except  tid and oid. To ensure user accounts cannot be compromised, only use an attribute besides tid+oid if you are certain it cannot be changed by users in all of your allowed Entra ID tenants.

  • tid+oid
    • Takes the tenant id and oid claims from logins and concatenates them together. 
  • sub
    • Uses the sub claim from successful logins
  • email
    • Uses the email claim from successful logins
  • old
    • Uses the oid claim from successful logins
  • preferred_username
    • Uses the preferred_username claim from successful logins
CanvasDocTeam_4-1718308480418.png

 

Set Just in Time Provisioning

If just in time provisioning is enabled, the configuration must use tid+oid as the login attribute for security reasons.

CanvasDocTeam_5-1718308480420.png

 

Set Federated Attributes

As a complement to JIT provisioning (but not dependent on it) all authentication providers support federated attributes. When users log into Canvas, more information beyond just ID is passed to Canvas, and that information is associated with their existing user accounts. 

Select the Canvas attribute value from the dropdown menu and click the “+ Attribute” button.

CanvasDocTeam_6-1718308480209.png

 

This will create a new attribute row where you can select the matching provider attribute. In the below example, users, when logging in, will have their name, sis_user_id and emails in Canvas updated to match the incoming Microsoft claims (Provider Attributes). 

Note: changes to the Canvas email attribute will create a new associated email to the user and not replace or remove the old value.

CanvasDocTeam_7-1718308480219.png

Debugging

Once your Microsoft configuration has been saved, additional options will appear. Click Start Debugging to launch the debugger tool. The debugger will start listening for a login event from Microsoft.

Clicking refresh after Canvas has received an attempted login event from Microsoft will display information about the claims sent as part of the login (including the tid the user login event originated from).

CanvasDocTeam_8-1718308480421.png

Was this article helpful? Yes No
Ask a Question View Related Guides
Related Guides
Have a question about Canvas? Ask in the Q&A forum:
Ask a Question
Embed this guide in your Canvas course:

Note: You can only embed guides in Canvas courses. Embedding on other sites is not supported.

Community help

View our top guides and resources:

Find My Canvas URL Help Logging into Canvas Generate a Pairing Code Canvas Browser and Computer Requirements Change Canvas Notification Settings Submit a Peer Review Assignment

To interact with Panda Bot, our automated chatbot, you need to sign up or log in:

Need help? Sign up or log in to interact with Panda Bot