Microsoft Entra ID SSO for Bookstack

This guide shows how to integrate BookStack with Microsoft Entra ID.

Note If BookStack is used as a larger enterprise documentation platform, evaluate whether generic OIDC or SAML is the better long-term choice. The built-in AzureAD social login is simple, but not always the most flexible option.

When this approach fits

Use this guide if:

you want simple Microsoft-based sign-in
BookStack is a smaller or mid-sized internal platform
advanced group sync is not a hard requirement

Prerequisites

BookStack is deployed and reachable via HTTPS
you can edit the .env file or container environment variables
permission to create an app registration in Microsoft Entra ID

Step 1: Create the app registration

Recommended settings:

Platform: Web
Redirect URI: https://<bookstack-domain>/login/service/azure/callback

Record the Application ID, Tenant ID and Client Secret.

Step 2: API permissions

For this login model, User.Read is typically sufficient.

Step 3: Configure BookStack

Add these variables to your BookStack .env or container configuration:

AZURE_APP_ID=<client-id>
AZURE_APP_SECRET=<client-secret>
AZURE_TENANT=<tenant-id>
AZURE_AUTO_REGISTER=true
AZURE_AUTO_CONFIRM_EMAIL=true

Best practices

use HTTPS only
keep the app registration dedicated to BookStack
use auto-registration only if onboarding should be self-service
consider OIDC or SAML if role and group mapping becomes important

Summary

The built-in Azure/Microsoft login in BookStack is a clean solution for simple internal SSO. For more advanced enterprise access models, evaluate OIDC or SAML.