Skip to main content

Microsoft Entra ID SSO for Bookstack

This guide shows how to integrate BookStack with Microsoft Entra ID.

Note If BookStack is used as a larger enterprise documentation platform, evaluate whether generic OIDC or SAML is the better long-term choice. The built-in AzureAD social login is simple, but not always the most flexible option.

When this approach fits

Use this guide if:

  • you want simple Microsoft-based sign-in
  • BookStack is a smaller or mid-sized internal platform
  • advanced group sync is not a hard requirement

Prerequisites

  • BookStack is deployed and reachable via HTTPS
  • you can edit the .env file or container environment variables
  • permission to create an app registration in Microsoft Entra ID

Step 1: Create the app registration

  • Platform: Web
  • Redirect URI: https://<bookstack-domain>/login/service/azure/callback

Record the Application ID, Tenant ID and Client Secret.

Step 2: API permissions

For this login model, User.Read is typically sufficient.

Step 3: Configure BookStack

Add these variables to your BookStack .env or container configuration:

AZURE_APP_ID=<client-id>
AZURE_APP_SECRET=<client-secret>
AZURE_TENANT=<tenant-id>
AZURE_AUTO_REGISTER=true
AZURE_AUTO_CONFIRM_EMAIL=true

Best practices

  • use HTTPS only
  • keep the app registration dedicated to BookStack
  • use auto-registration only if onboarding should be self-service
  • consider OIDC or SAML if role and group mapping becomes important

Summary

The built-in Azure/Microsoft login in BookStack is a clean solution for simple internal SSO. For more advanced enterprise access models, evaluate OIDC or SAML.

Back to top