Microsoft Entra ID SSO for Mealie
Microsoft Entra ID SSO for Mealie
This guide shows how to configure Mealie with Microsoft Entra ID using OpenID Connect (OIDC).
Important design note
If you use a client secret, register the application as a Web / confidential client. Do not document it as a Single Page Application when the backend is using a client secret.
Why use OIDC with Mealie
Benefits:
- centralized login
- optional self-service user creation
- optional group-based restrictions
- easier identity lifecycle management
Prerequisites
- Mealie is deployed and reachable via HTTPS
- you can edit environment variables or Docker Compose
- permission to create an app registration in Microsoft Entra ID
Step 1: Create the app registration
Recommended settings:
- Platform: Web
- Redirect URI: use the callback URL expected by your Mealie version and reverse proxy design
Record the Tenant ID, Client ID and Client Secret.
Step 2: Configure OIDC in Mealie
OIDC_AUTH_ENABLED=true
OIDC_SIGNUP_ENABLED=true
OIDC_CONFIGURATION_URL=https://login.microsoftonline.com/<tenant-id>/v2.0/.well-known/openid-configuration
OIDC_CLIENT_ID=<client-id>
OIDC_CLIENT_SECRET=<client-secret>
OIDC_PROVIDER_NAME=Microsoft Entra ID
OIDC_USER_CLAIM=email
OIDC_NAME_CLAIM=name
OIDC_GROUPS_CLAIM=groups
Optional:
OIDC_USER_GROUPto allow only one specific groupOIDC_ADMIN_GROUPto make selected users adminsALLOW_PASSWORD_LOGIN=falseonly after testing
Best practices
- keep the app registration dedicated to Mealie
- use HTTPS only
- document the exact callback URL used
- use group-based filtering if access should be limited
- disable password login only after OIDC is fully tested
Summary
For Mealie, Microsoft Entra ID integration should be documented as a standard OIDC confidential client pattern when a client secret is used.