Microsoft Entra ID SSO for Mealie
This guide shows how to configure Mealie with Microsoft Entra ID using OpenID Connect (OIDC).
Important design note
If you use a client secret, register the application as a Web / confidential client. Do not document it as a Single Page Application when the backend is using a client secret.
Why use OIDC with Mealie
Benefits:
- centralized login
- optional self-service user creation
- optional group-based restrictions
- easier identity lifecycle management
Prerequisites
- Mealie is deployed and reachable via HTTPS
- you can edit environment variables or Docker Compose
- permission to create an app registration in Microsoft Entra ID
Step 1: Create the app registration
Recommended settings:
- Platform: Web
- Redirect URI: use the callback URL expected by your Mealie version and reverse proxy design
Record the Tenant ID, Client ID and Client Secret.
Step 2: Configure OIDC in Mealie
OIDC_AUTH_ENABLED=true
OIDC_SIGNUP_ENABLED=true
OIDC_CONFIGURATION_URL=https://login.microsoftonline.com/<tenant-id>/v2.0/.well-known/openid-configuration
OIDC_CLIENT_ID=<client-id>
OIDC_CLIENT_SECRET=<client-secret>
OIDC_PROVIDER_NAME=Microsoft Entra ID
OIDC_USER_CLAIM=email
OIDC_NAME_CLAIM=name
OIDC_GROUPS_CLAIM=groups
Optional:
OIDC_USER_GROUPto allow only one specific groupOIDC_ADMIN_GROUPto make selected users adminsALLOW_PASSWORD_LOGIN=falseonly after testing
Best practices
- keep the app registration dedicated to Mealie
- use HTTPS only
- document the exact callback URL used
- use group-based filtering if access should be limited
- disable password login only after OIDC is fully tested
Summary
For Mealie, Microsoft Entra ID integration should be documented as a standard OIDC confidential client pattern when a client secret is used.