feat: enable microsoft sign ups

[retrogtx]

What does this PR do?

Enables Microsoft authentication for Cal.com, allowing users to sign up and log in using their Microsoft accounts (Azure AD). This builds upon #16873 by @hbjORbj.

The flow is exactly like google except for one case, in google we add google meet as a conferencing tool. however in microsoft we don't add a conferencing tool, mainly for two reasons: 1. it requires additional permissions unlike google meet 2. MS teams which is conferencing tool for microsoft is only available for school and org accounts unlike meet which is available for all accounts be it free or org.

Fixes #27060

Visual Demo:

Microsoft.login.with.onboarding.v3.mov

Key Changes

Authentication:

• Azure AD OAuth provider via NextAuth
• New IdentityProvider.AZUREAD enum value with database migration
• xms_edov claim validation for email domain verification (handles work/school and personal accounts)
• Proper identity provider mapping for azure-ad provider

UI:

• "Continue with Microsoft" button on login and signup pages
• Accessible Microsoft logo SVG with ARIA attributes

Profile Features:

• Profile photo sync from Microsoft Graph API
• Office 365 calendar auto-linking for org users during signup

Infrastructure:

• New environment variables: OUTLOOK_LOGIN_ENABLED, OUTLOOK_API_CREDENTIALS, AZURE_AD_TENANT_ID
• SSO route handling to map "microsoft" → signIn("azure-ad")
• Onboarding E2E tests for AZUREAD

Environment Variables

OUTLOOK_LOGIN_ENABLED=false
OUTLOOK_API_CREDENTIALS=   # JSON credentials from Azure portal, the format is something like this {"web":{"client_id":"9b81......","client_secret":"wJT8Q~PH...."}}
AZURE_AD_TENANT_ID=        # Use "common" for multi-tenant

How to Test

1. Set up Azure AD app in Azure Portal
2. Configure redirect URI: {WEBAPP_URL}/api/auth/callback/azure-ad
3. Set environment variables and OUTLOOK_LOGIN_ENABLED=true
4. Verify the Microsoft button appears and OAuth flow works

[vercel]

@retrogtx is attempting to deploy a commit to the cal Team on Vercel.

A member of the Team first needs to authorize it.

[graphite-app]

Graphite Automations

"Add consumer team as reviewer" took an action on this PR • (04/13/25)

1 reviewer was added to this PR based on Keith Williams's automation.

"Add community label" took an action on this PR • (04/13/25)

1 label was added to this PR based on Keith Williams's automation.

[cubic-dev-ai]

mrge found 16 issues across 16 files. View them in mrge.io

[devin-ai-integration]

Merge Conflict Resolution - Push Failed

I successfully resolved all merge conflicts between microsoft-auth and upstream/main:

Files resolved:

• packages/lib/constants.ts - Merged new MICROSOFT_CALENDAR_SCOPES constant with upstream's formatting changes
• apps/web/modules/signup-view.tsx - Merged Microsoft OAuth sign-up feature (Microsoft button, handleOAuthClick, isMicrosoftLoading state, isOutlookLoginEnabled prop) with upstream's accountUnderReview state, region selector, and UI restructuring

Validation passed: Merge commit shows exactly 23 files, matching the original PR file count.

However, I was unable to push the resolved merge to the fork. The DEVIN_ACTIONS_PAT does not have write access to retrogtx/cal.com. Multiple authentication methods were attempted (direct PAT, git-manager proxy, credential store, GIT_ASKPASS) - all returned authentication failures.

The PR author (@retrogtx) will need to resolve the conflicts manually or grant push access to the fork.

[github-actions]

Devin AI is resolving merge conflicts

This PR has merge conflicts with the main branch. A Devin session has been created to automatically resolve them.

View Devin Session

Devin will:

1. Merge the latest main into this branch
2. Resolve any conflicts intelligently
3. Run lint/type checks to ensure validity
4. Push the resolved changes

If you prefer to resolve conflicts manually, you can close the Devin session and handle it yourself.

[devin-ai-integration]

Merge Conflict Resolution Attempted

I successfully resolved the merge conflicts between the microsoft-auth branch and upstream main, but was unable to push the resolved changes to the fork repository (retrogtx/cal.com).

What was done:

• Merged upstream/main into the microsoft-auth branch
• Resolved conflicts in 2 files:
  • packages/lib/constants.ts - Kept the PR's MICROSOFT_CALENDAR_SCOPES addition with upstream's formatting changes
  • apps/web/modules/signup-view.tsx - Integrated the PR's Microsoft auth additions (isOutlookLoginEnabled, isMicrosoftLoading, handleOAuthClick, Microsoft button) with upstream's structural changes (accountUnderReview feature, data region selector, ShieldCheckIcon components)
• Validation passed: merge commit shows exactly 23 files (matching the original PR)
• Type check passed (tsc --noEmit for apps/web)
• Lint check passed (no errors, only pre-existing warnings)

Why push failed:

Authentication failed when attempting to push to the fork repository retrogtx/cal.com. The available credentials do not have write access to this fork.

For the PR author (@retrogtx):

To resolve the conflicts yourself, you can run:

git fetch upstream main
git merge upstream/main

The two conflicts to resolve are:

1. packages/lib/constants.ts: Keep your MICROSOFT_CALENDAR_SCOPES and use upstream's single-line formatting for DIRECTORY_IDS_TO_LOG and SCANNING_WORKFLOW_STEPS
2. apps/web/modules/signup-view.tsx: The upstream added accountUnderReview state/UI, data region selector, and changed icons to use named components from @coss/ui/icons. Your Microsoft auth additions need to be integrated into this new structure.

[cubic-dev-ai]

2 issues found across 1 file (changes from recent commits).

Prompt for AI agents (all issues)

Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.


<file name="apps/web/modules/signup-view.tsx">

<violation number="1">
P3: Use the centralized WEBAPP_URL constant instead of reading process.env.NEXT_PUBLIC_WEBAPP_URL directly so protocol normalization/fallbacks remain consistent.</violation>

<violation number="2">
P2: Microsoft signup entrypoint was removed from the signup UI. The component no longer accepts `isOutlookLoginEnabled` and only renders a Google OAuth button, so users have no way to start a Microsoft/Azure AD signup from this view.</violation>
</file>

_{Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review.}

[cubic-dev-ai]

1 issue found across 2 files (changes from recent commits).

Prompt for AI agents (all issues)

Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.


<file name="apps/web/modules/signup-view.tsx">

<violation number="1" location="apps/web/modules/signup-view.tsx:844">
P2: `searchQueryParams.set("email", prepopulateFormValues?.email)` can serialize to `email=undefined` when `token` is present but `prepopulateFormValues` is null, causing a bad login hint in the Microsoft SSO URL. Guard on a defined email before setting the param.</violation>
</file>

_{Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review.}

[github-actions]

Devin AI is addressing Cubic AI's review feedback

A Devin session has been created to address the issues identified by Cubic AI.

View Devin Session

[hbjORbj]

is this ok? @Ryukemeister

[Ryukemeister]

i'm working on cleaning this up, but yes this is not okay

[Ryukemeister]

if you're talking about allowDangerousEmailAccountLinking: true then that is alright because we follow the same approach for GoogleProvider as well

[hbjORbj]

is this a required field? if not, I wouldn't even introduce such an env var

[Ryukemeister]

i'm working on cleaning this up, but yes this is not okay

[Ryukemeister]

think we'll just close this one and go with #28080 instead