Restrict Access with Azure AD (Microsoft)

Azure AD authentication lets you make a status page private and grant access to your employees via their existing Microsoft work accounts. Visitors click Sign in with Microsoft, complete the familiar Microsoft login flow, and land on your status page — no shared password or separate account needed.

This uses the standard OAuth 2.0 / OpenID Connect protocol. You register an application in your Azure AD tenant and paste the credentials into your status page settings.

Prerequisite: Private status pages are available on paid plans. Azure AD authentication is one of the access methods within private mode. See Private Status Pages for an overview of all access methods.

How It Works

1. A visitor arrives at your private status page and sees the gate page
2. They click Sign in with Microsoft
3. Microsoft authenticates them against your specific Azure AD tenant
4. If authentication succeeds and the account belongs to your tenant, they are admitted
5. Their session lasts 1 hour

Only accounts in your Azure AD tenant are accepted — the platform validates the tenant ID in the Microsoft token, so there is no risk of someone from a different organisation signing in.

Prerequisites

• A paid StatusPage.me plan
• Access to your organisation’s Azure Active Directory (typically an Azure AD admin or someone who can register applications)
• Your status page must have Private Mode enabled

Step 1 — Register an Application in Azure AD

1. Sign in to the Azure Portal and go to Azure Active Directory
2. In the left menu, click App registrations → New registration
3. Fill in the registration form:
   • Name: anything descriptive, e.g. StatusPage – Acme Status
   • Supported account types: select Accounts in this organizational directory only (Single tenant)
   • Redirect URI: select Web and enter your redirect URI (see below)
4. Click Register

Redirect URI

The redirect URI must match exactly. Use this format:

https://<your-status-page-url>/auth/azure/callback

Examples:

• https://acme.statuspage.me/auth/azure/callback
• https://status.acme.com/auth/azure/callback (if using a custom domain)

If you use a custom domain, use that domain in the redirect URI, not the default statuspage.me subdomain.

Step 2 — Create a Client Secret

1. In your app registration, go to Certificates & secrets → Client secrets
2. Click New client secret
3. Enter a description and choose an expiry period
4. Click Add
5. Copy the secret value immediately — it is only shown once

Note the secret expiry date. When the secret expires, authentication will stop working. Set a reminder to rotate it before it expires.

Step 3 — Collect Your Credentials

From your app registration you need three values:

Step 4 — Configure in StatusPage.me

1. Go to your status page Settings → Access
2. Make sure Private Status Page is toggled on
3. Click Access Settings
4. Expand Azure AD / Microsoft
5. Toggle Enable Azure AD authentication on
6. Enter your Tenant ID, Application (Client) ID, and Client Secret
7. Click Save Access Settings, then Save Settings

Step 5 — Test the Flow

1. Open your status page in a private/incognito browser window (to avoid using any existing session)
2. You should see the gate page with a Sign in with Microsoft button
3. Click it — you should be redirected to Microsoft login
4. Sign in with a work account that belongs to your Azure AD tenant
5. After authentication, you should land on your status page

If you see an error, see Troubleshooting below.

Combining With Other Methods

Azure AD can be enabled alongside other access methods. A common setup:

• Azure AD for employees working remotely
• IP Allowlist for the office network (employees on-site bypass the login entirely)

Visitors who match any enabled method are admitted. See Private Status Pages — Combining Methods.

Rotating the Client Secret

Azure AD client secrets have an expiry date. To rotate:

1. In Azure Portal, go to your app registration → Certificates & secrets
2. Create a new client secret and copy its value
3. In StatusPage.me, go to Settings → Access → Access Settings → Azure AD
4. Paste the new secret in the Client Secret field (leave blank to keep the existing one)
5. Save
6. Once confirmed working, delete the old secret in Azure Portal

Troubleshooting

“Authentication failed. Please try again.”

The token exchange with Microsoft failed. Common causes:

• The Client Secret is incorrect, has expired, or was not saved
• The Redirect URI in your Azure app registration doesn’t exactly match your status page URL (including https:// and /auth/azure/callback)
• The Azure app registration was deleted or disabled

“Could not verify your account. Ensure you are signing in with the correct Microsoft account.”

Authentication succeeded with Microsoft, but the account belongs to a different Azure AD tenant than the one you configured. Check:

• The Tenant ID in your status page settings matches your organisation’s Azure AD tenant
• The person signing in is using their work account (not a personal Microsoft account)

“OAuth state is invalid or expired. Please try again.”

The sign-in flow took too long (over 10 minutes) or the browser state was lost. This can happen if:

• The visitor has cookies disabled
• They navigated away during the Microsoft login flow

Ask them to try again from the gate page.

“Sign in with Microsoft” button does not appear

• Confirm Azure AD authentication is toggled on in Access Settings and settings are saved
• Confirm Private Status Page is enabled
• Check that all three fields (Tenant ID, Client ID, Client Secret) are filled in

Visitors from my organisation are being rejected

• Verify the Tenant ID is the directory (tenant) ID (a GUID), not the domain name — both formats are supported but confirm which you’ve entered
• Confirm the visitor is signing in with a work/school account in your tenant, not a personal Microsoft account
• Check the Azure app registration is set to single tenant, not multi-tenant

What’s Next?

• Private Status Pages overview →
• Set up a custom domain →
• Status Page Settings overview →