usda-vision/docs/SELF_HOSTED_AZURE_SETUP.md

Self-Hosted Supabase - Microsoft Entra Setup

Quick Setup Guide

For self-hosted Supabase instances, OAuth providers like Microsoft Entra (Azure AD) are configured through config files and environment variables, not through the UI.

Step 1: Configure Azure Application

Follow steps 1-4 in MICROSOFT_ENTRA_SETUP.md to:

1. Register your app in Azure Portal
2. Get your Client ID and Secret
3. Set up API permissions
4. Configure token claims

Important: Your redirect URI should be:

http://<your-host-ip>:<supabase-port>/auth/v1/callback

Example: http://192.168.1.100:54321/auth/v1/callback

Step 2: Configure Supabase

The Azure provider configuration is already added to supabase/config.toml:

[auth.external.azure]
enabled = false  # Change this to true
client_id = "env(AZURE_CLIENT_ID)"
secret = "env(AZURE_CLIENT_SECRET)"
redirect_uri = ""
url = "https://login.microsoftonline.com/env(AZURE_TENANT_ID)/v2.0"
skip_nonce_check = false

Step 3: Set Environment Variables

1. Copy the example file:

   cp .env.azure.example .env.azure
   

2. Edit .env.azure with your actual values:

   AZURE_CLIENT_ID=your-application-client-id
   AZURE_CLIENT_SECRET=your-client-secret
   AZURE_TENANT_ID=common  # or your specific tenant ID
   

3. Source the environment file before starting Supabase:

   source .env.azure
   

   Or add it to your docker-compose environment.

Step 4: Enable Azure Provider

Edit supabase/config.toml and change:

[auth.external.azure]
enabled = true  # Change from false to true

Step 5: Restart Supabase

docker-compose down
docker-compose up -d

Or if using the project script:

./docker-compose.sh restart

Step 6: Enable in Application

In management-dashboard-web-app/.env:

VITE_ENABLE_MICROSOFT_LOGIN=true

Verification

1. Check auth service logs:

   docker-compose logs auth | grep -i azure
   

2. You should see the Microsoft login button on your application's login page

3. Click it and verify you're redirected to Microsoft login

Troubleshooting

Azure Provider Not Working

Check logs:

docker-compose logs auth

Verify environment variables are loaded:

docker-compose exec auth env | grep AZURE

Redirect URI Mismatch

Ensure the redirect URI in Azure exactly matches:

http://<your-host-ip>:<supabase-port>/auth/v1/callback

Common mistake: Using localhost instead of the actual IP address.

Environment Variables Not Set

If you see errors about missing AZURE variables, make sure to:

1. Export them in your shell before running docker-compose
2. Or add them to your docker-compose.yml environment section
3. Or use a .env file that docker-compose automatically loads

Docker Compose Environment Variables

You can also add the variables directly to your docker-compose.yml:

services:
  auth:
    environment:
      AZURE_CLIENT_ID: ${AZURE_CLIENT_ID}
      AZURE_CLIENT_SECRET: ${AZURE_CLIENT_SECRET}
      AZURE_TENANT_ID: ${AZURE_TENANT_ID:-common}

Then create a .env file in the same directory:

AZURE_CLIENT_ID=your-client-id
AZURE_CLIENT_SECRET=your-secret
AZURE_TENANT_ID=common

Security Notes

• Never commit .env.azure or .env files with real secrets to git
• Add them to .gitignore
• Use environment variable substitution in config.toml
• Rotate client secrets regularly (before expiration)
• Monitor sign-in logs in Azure Portal

Additional Resources

• Full setup guide: MICROSOFT_ENTRA_SETUP.md
• Quick reference: MICROSOFT_ENTRA_QUICKSTART.md
• Supabase self-hosting docs: https://supabase.com/docs/guides/self-hosting
• Azure OAuth docs: https://docs.microsoft.com/azure/active-directory/develop/v2-oauth2-auth-code-flow