Skip to main content
The Microsoft 365 provider can authenticate using an interactive browser session. This method automatically opens a web browser to authenticate the user and is ideal for local development scenarios.

Prerequisites

  • A Microsoft Entra ID tenant
  • Permissions to create an app registration in your tenant
  • Access to a web browser on the machine running Terraform

Setup

1

Create App Registration

Create an app registration in Microsoft Entra ID
2

Configure Authentication

  • Under “Authentication”, add a platform configuration for “Web”
  • Add a redirect URI (e.g., http://localhost:8888)
  • Ensure “Access tokens” and “ID tokens” are checked under “Implicit grant and hybrid flows”
3

Add API Permissions

  • Navigate to “API permissions”
  • Click “Add a permission” and select “Microsoft Graph”
  • Choose “Delegated permissions” (interactive browser uses delegated permissions)
  • Add the necessary permissions
  • Click “Grant admin consent”

Provider Configuration

Usage Workflow

When you run Terraform with interactive browser authentication:
1

Browser Opens

The provider will automatically open your default web browser
2

Redirect to Login

You’ll be directed to the Microsoft login page
3

Authenticate

After successful authentication, you’ll be redirected to the configured redirect URL
4

Success Message

The browser may display a success message or a blank page
5

Continue

Terraform will continue once authentication is complete

Configuration Options

Login Hint

You can provide a username to pre-populate the login page: 
entra_id_options = {
  username = "[email protected]"
}

Redirect URL

The redirect_url must exactly match one of the redirect URIs configured in your app registration: 
entra_id_options = {
  redirect_url = "http://localhost:8888"
}
Ensure the redirect URL matches exactly, including protocol (http/https) and any trailing slashes.

Use Cases

Interactive browser authentication is ideal for:

Local Development

Rapid development and testing on your local machine

Testing

Testing and troubleshooting configurations

First-time Setup

Initial setup and configuration

User-specific Permissions

Scenarios requiring user-specific permissions

Security Considerations

Security Notes
  • This method grants permissions based on the authenticated user’s privileges
  • For automated processes, use client secret, certificate, or OIDC authentication
  • The default token lifetime is one hour
  • For shared machines, be cautious as the browser may retain cookies
  • Always log out when finished

Troubleshooting

The provider may not be able to launch a browser automatically. Manually open the browser and navigate to the URL displayed in the logs.
Ensure the redirect URL in your configuration exactly matches the one in your app registration, including protocol (http/https) and any trailing slashes.
Ensure you’ve granted admin consent for the required permissions in your app registration.
Some security tools may block automated browser launching. In these cases, use device code authentication instead.

Build docs developers (and LLMs) love

Get started for freeTalk to us