As part of my side project — a cross-platform native mobile app built with .NET MAUI — I’ve been automating identity provider configurations using Terraform. This exploration not only helps streamline app authentication but also provides an opportunity to engage with the Auth0 Terraform provider in depth.

https://registry.terraform.io/providers/auth0/auth0/latest

In my previous article I talked about how I setup the authentication in my .NET Maui application by first configuring a client application on Auth0 using Terraform then using the outputs from that to configure my .NET Maui client application.

Now I’m activating my first consumer-oriented Identity provider: Microsoft Personal Accounts — you know, all those at outlook.com and hotmail.com email addresses.

Unlike the last article, for this I will only be spending time in Terraform. No more application code changes in C# to worry about because now its just a matter of setting up Auth0 with all the identity providers I want to allow users to authenticate with. Those include Microsoft Personal Accounts, Google Accounts, Facebook and Apple for the time being.

Configuring the Identity Provider with Terraform

The process begins with the familiar AzureAD Terraform provider, now known as the Entra ID provider. This is essential for setting up an App Registration specific to Microsoft Personal Accounts.

Step №1: Register the Application in Entra ID

The first Terraform provider I am using will be a familiar one: the AzureAD ahem the Entra ID Terraform provider — also known as azuread. This provider is used to setup an App Registration. The key settings are the sign_in_audience needs to be AzureADandMicrosoftAccount to distinguish it from Business Accounts on regular Entra ID.

resource "azuread_application_registration" "main" {
  display_name = "foo"

  sign_in_audience = "AzureADandPersonalMicrosoftAccount"

}

Step №2: Define Redirect URIs

Another important setting is in the redirect URIs, which is in its own resource block (I prefer it this way) which needs to have a type of Web. Even though the client is basically running on an untrusted client — a “public client”, the Entra ID integration is done through Auth0. Therefore, you can think of this as a computer or device that we do not control — the end users’ personal devices. As a result the client is treated differently, no private or sensitive secrets can be trusted with such devices, but Auth0 takes hold of the client experience and acts as an intermediary with Entra ID.

resource "azuread_application_redirect_uris" "main" {
  application_id = azuread_application_registration.main.id
  type           = "Web"

  redirect_uris = [
    local.auth0_redirect_uri
  ]
}

Step №3: Generate a Client Secret

Lastly we have to generate a client secret using the azuread_application_password . Yes, I know it’s confusing, the azuread Terraform provider calls it a password rather than the client secret but anybody who has worked with AzureAD ahem Entra ID knows that consistent naming conventions are not their strong suit. Many entities have many different names for the same thing. Unfortunately, its a thing.

resource "azuread_application_password" "main" {
  application_id = azuread_application_registration.main.id
}

Step №4: Connecting Entra ID to Auth0

Now that the entra id part is done we can create an auth0_connection resource to connect our Auth0 tenant to Entra ID.

resource "auth0_connection" "microsoft" {
  name     = "microsoft-social"
  strategy = "windowslive"

  options {
    client_id     = azuread_application_registration.main.client_id
    client_secret = azuread_application_password.main.value
    scopes        = ["openid", "profile", "email"]
  }
}

Step №5: Associating the Connection with the Client Application

Finally, we link the Auth0 connection to the client application created in our previous article. This step ensures the .NET MAUI application can use Microsoft Personal Accounts for authentication.

resource "auth0_connection_clients" "microsoft" {
  connection_id = auth0_connection.microsoft.id
  enabled_clients = [
    auth0_client.maui_app.client_id
  ]
}

Conclusion

By using Terraform to integrate Microsoft Personal Accounts with Auth0 and Entra ID, I’ve streamlined the process of adding consumer authentication to my app. This approach scales well as I plan to add more providers like Google, Facebook, and Apple.

With Terraform, managing identity provider configurations becomes a repeatable, version-controlled process that simplifies long-term maintenance and expansion.