From 94bb7e0761e69a82138f164843e9e9320df07b28 Mon Sep 17 00:00:00 2001
From: Francisca Almeida <francisca.vicente.de.almeida@tecnico.ulisboa.pt>
Date: Tue, 3 Jun 2025 23:07:25 +0100
Subject: [PATCH 1/2] feat: Outlook login support via next-auth (#463)

* add Microsoft environment variables to .env.example and env.ts

* add microsoft.svg image file

* set default value for MICROSOFT_ISSUER in env.ts

* Add Microsoft authentication support and scopes

* Add Microsoft sign-in functionality to LoginForm

* Update README.md with Microsoft authentication setup instructions
---
 README.md                                     | 137 ++++++++++-----
 apps/web/.env.example                         |   4 +
 .../(app)/[emailAccountId]/assistant/page.tsx |   7 +-
 apps/web/app/(landing)/login/LoginForm.tsx    |  53 ++++++
 apps/web/env.ts                               |   3 +
 apps/web/public/images/microsoft.svg          |  35 ++++
 apps/web/utils/auth.ts                        | 166 +++++++++++++-----
 apps/web/utils/microsoft/scopes.ts            |  12 ++
 8 files changed, 328 insertions(+), 89 deletions(-)
 create mode 100644 apps/web/public/images/microsoft.svg
 create mode 100644 apps/web/utils/microsoft/scopes.ts

diff --git a/README.md b/README.md
index a314ef2c0c..e7479f4b01 100644
--- a/README.md
+++ b/README.md
@@ -74,7 +74,7 @@ We offer a hosted version of Inbox Zero at [https://getinboxzero.com](https://ge
 
 ### Setup
 
-[Here's a video](https://youtu.be/hVQENQ4WT2Y) on how to set up the project. It covers the same steps mentioned in this document. But goes into greater detail on setting up the external services.
+[Here&#39;s a video](https://youtu.be/hVQENQ4WT2Y) on how to set up the project. It covers the same steps mentioned in this document. But goes into greater detail on setting up the external services.
 
 ### Requirements
 
@@ -125,45 +125,102 @@ Go to [Google Cloud](https://console.cloud.google.com/). Create a new project if
 
 Create [new credentials](https://console.cloud.google.com/apis/credentials):
 
-1.  If the banner shows up, configure **consent screen** (if not, you can do this later)
-    1. Click the banner, then Click `Get Started`.
-    2. Choose a name for your app, and enter your email.
-    3. In Audience, choose `External`
-    4. Enter your contact information
-    5. Agree to the User Data policy and then click `Create`.
-    6. Return to APIs and Services using the left sidebar.
-2.  Create new [credentials](https://console.cloud.google.com/apis/credentials):
-    1. Click the `+Create Credentials` button. Choose OAuth Client ID.
-    2. In `Application Type`, Choose `Web application`
-    3. Choose a name for your web client
-    4. In Authorized JavaScript origins, add a URI and enter `http://localhost:3000`
-    5. In `Authorized redirect URIs` enter `http://localhost:3000/api/auth/callback/google`
-    6. Click `Create`.
-    7. A popup will show up with the new credentials, including the Client ID and secret.
-3.  Update .env file:
-    1. Copy the Client ID to `GOOGLE_CLIENT_ID`
-    2. Copy the Client secret to `GOOGLE_CLIENT_SECRET`
-4.  Update [scopes](https://console.cloud.google.com/auth/scopes)
-
-    1. Go to `Data Access` in the left sidebar (or click link above)
-    2. Click `Add or remove scopes`
-    3. Copy paste the below into the `Manually add scopes` box:
-
-    ```plaintext
-    https://www.googleapis.com/auth/userinfo.profile
-    https://www.googleapis.com/auth/userinfo.email
-    https://www.googleapis.com/auth/gmail.modify
-    https://www.googleapis.com/auth/gmail.settings.basic
-    https://www.googleapis.com/auth/contacts
-    ```
-
-    4. Click `Update`
-    5. Click `Save` in the Data Access page.
-
-5.  Add yourself as a test user
-    1. Go to [Audience](https://console.cloud.google.com/auth/audience)
-    2. In the `Test users` section, click `+Add users`
-    3. Enter your email and press `Save`
+1. If the banner shows up, configure **consent screen** (if not, you can do this later)
+
+   1. Click the banner, then Click `Get Started`.
+   2. Choose a name for your app, and enter your email.
+   3. In Audience, choose `External`
+   4. Enter your contact information
+   5. Agree to the User Data policy and then click `Create`.
+   6. Return to APIs and Services using the left sidebar.
+
+2. Create new [credentials](https://console.cloud.google.com/apis/credentials):
+
+   1. Click the `+Create Credentials` button. Choose OAuth Client ID.
+   2. In `Application Type`, Choose `Web application`
+   3. Choose a name for your web client
+   4. In Authorized JavaScript origins, add a URI and enter `http://localhost:3000`
+   5. In `Authorized redirect URIs` enter `http://localhost:3000/api/auth/callback/google`
+   6. Click `Create`.
+   7. A popup will show up with the new credentials, including the Client ID and secret.
+
+3. Update .env file:
+
+   1. Copy the Client ID to `GOOGLE_CLIENT_ID`
+   2. Copy the Client secret to `GOOGLE_CLIENT_SECRET`
+
+4. Update [scopes](https://console.cloud.google.com/auth/scopes)
+
+   1. Go to `Data Access` in the left sidebar (or click link above)
+   2. Click `Add or remove scopes`
+   3. Copy paste the below into the `Manually add scopes` box:
+
+   ```plaintext
+   https://www.googleapis.com/auth/userinfo.profile
+   https://www.googleapis.com/auth/userinfo.email
+   https://www.googleapis.com/auth/gmail.modify
+   https://www.googleapis.com/auth/gmail.settings.basic
+   https://www.googleapis.com/auth/contacts
+   ```
+
+   4. Click `Update`
+   5. Click `Save` in the Data Access page.
+
+5. Add yourself as a test user
+
+   1. Go to [Audience](https://console.cloud.google.com/auth/audience)
+   2. In the `Test users` section, click `+Add users`
+   3. Enter your email and press `Save`
+
+### Updating .env file with Azure credentials:
+
+- `MICROSOFT_CLIENT_ID` -- Google OAuth client ID. More info [here](https://authjs.dev/getting-started/providers/microsoft-entra-id)
+- `MICROSOFT_CLIENT_SECRET` -- Google OAuth client secret. More info [here](https://authjs.dev/getting-started/providers/microsoft-entra-id)
+- `MICROSOFT_ISSUER` -- Google OAuth client secret. More info [here](https://authjs.dev/getting-started/providers/microsoft-entra-id)
+
+Go to [Azure Portal](https://portal.azure.com/). Create a new application if necessary.
+
+Create the [application](https://portal.azure.com/#view/Microsoft_AAD_RegisteredApps/CreateApplicationBlade):
+
+1. Register an application in [Azure Portal](https://portal.azure.com/):
+
+1. Go to **Azure Active Directory** > **App registrations** > **New registration**.
+1. Enter a name for your app.
+1. Set **Supported account types** as needed (e.g., "Accounts in any organizational directory and personal Microsoft accounts").
+1. In **Redirect URI**, select "Web" and enter: `http://localhost:3000/api/auth/callback/microsoft-entra-id`
+1. Click **Register**.
+
+1. Configure authentication:
+
+1. In your app registration, go to **Authentication**.
+1. Ensure the redirect URI `http://localhost:3000/api/auth/callback/microsoft-entra-id` is listed.
+1. (Optional) Enable **Access tokens** and **ID tokens**.
+
+1. Create a client secret:
+
+1. Go to **Certificates & secrets** > **New client secret**.
+1. Add a description and set an expiry.
+1. Click **Add** and copy the generated value (you won't see it again).
+
+1. Update your `.env` file:
+
+- Set `MICROSOFT_CLIENT_ID` to the **Application (client) ID** from the app registration overview.
+- Set `MICROSOFT_CLIENT_SECRET` to the value of the client secret you just created.
+- Set `MICROSOFT_ISSUER` to your **Directory (tenant) ID** or use `https://login.microsoftonline.com/common/v2.0` for multi-tenant.
+
+5. Add API permissions:
+
+1. Go to **API permissions** > **Add a permission**.
+1. Choose **Microsoft Graph** > **Delegated permissions**.
+1. Add permissions such as `User.Read`, `Mail.ReadWrite`, `Mail.Send`, `offline_access`, and any others your app requires.
+1. Click **Add permissions**.
+1. (If needed) Click **Grant admin consent**.
+
+1. (Optional) Add yourself as a test user:
+
+- If your app is restricted, ensure your Microsoft account is added as a user in the Azure AD tenant.
+
+For more details, see the [Auth.js Microsoft Entra ID provider docs](https://authjs.dev/getting-started/providers/microsoft-entra-id).
 
 ### Updating .env file with LLM parameters
 
diff --git a/apps/web/.env.example b/apps/web/.env.example
index 13c1504234..f0429650db 100644
--- a/apps/web/.env.example
+++ b/apps/web/.env.example
@@ -10,6 +10,10 @@ GOOGLE_CLIENT_SECRET=
 GOOGLE_ENCRYPT_SECRET= # openssl rand -hex 32
 GOOGLE_ENCRYPT_SALT= # openssl rand -hex 16
 
+MICROSOFT_CLIENT_ID=
+MICROSOFT_CLIENT_SECRET=
+MICROSOFT_TENANT_ID=
+
 GOOGLE_PUBSUB_TOPIC_NAME="projects/abc/topics/xyz"
 GOOGLE_PUBSUB_VERIFICATION_TOKEN= # Generate a random secret here: https://generate-secret.vercel.app/32
 
diff --git a/apps/web/app/(app)/[emailAccountId]/assistant/page.tsx b/apps/web/app/(app)/[emailAccountId]/assistant/page.tsx
index c6dead6851..9778e3a813 100644
--- a/apps/web/app/(app)/[emailAccountId]/assistant/page.tsx
+++ b/apps/web/app/(app)/[emailAccountId]/assistant/page.tsx
@@ -28,9 +28,10 @@ export default async function AssistantPage({
       select: { id: true },
     });
 
-    if (!hasRule) {
-      redirect(prefixPath(emailAccountId, "/assistant?onboarding=true"));
-    }
+    // FIXME: redirected too many times
+    // if (!hasRule) {
+    //   redirect(prefixPath(emailAccountId, "/assistant?onboarding=true"));
+    // }
   }
 
   return (
diff --git a/apps/web/app/(landing)/login/LoginForm.tsx b/apps/web/app/(landing)/login/LoginForm.tsx
index b32da98191..6f106bd07d 100644
--- a/apps/web/app/(landing)/login/LoginForm.tsx
+++ b/apps/web/app/(landing)/login/LoginForm.tsx
@@ -75,6 +75,59 @@ export function LoginForm() {
         </DialogContent>
       </Dialog>
 
+      {/* TODO: Check the best way to filter for the waitlist users */}
+      <Dialog>
+        <DialogTrigger asChild>
+          <Button size="2xl">
+            <span className="flex items-center justify-center">
+              <Image
+                src="/images/microsoft.svg"
+                alt=""
+                width={24}
+                height={24}
+                unoptimized
+              />
+              <span className="ml-2">Sign in with Microsoft</span>
+            </span>
+          </Button>
+        </DialogTrigger>
+        <DialogContent>
+          <DialogHeader>
+            <DialogTitle>Sign in</DialogTitle>
+          </DialogHeader>
+          <SectionDescription>
+            Inbox Zero{"'"}s use and transfer of information received from
+            Microsoft Entra ID will adhere to{" "}
+            <a
+              href="https://learn.microsoft.com/en-us/legal/microsoft-entra-privacy"
+              className="underline underline-offset-4 hover:text-gray-900"
+            >
+              Microsoft Entra Privacy Policy
+            </a>{" "}
+            and other applicable requirements.
+          </SectionDescription>
+          <div>
+            <Button
+              loading={loading}
+              onClick={() => {
+                setLoading(true);
+                signIn(
+                  "microsoft-entra-id",
+                  {
+                    ...(next && next.length > 0
+                      ? { callbackUrl: next }
+                      : { callbackUrl: "/welcome" }),
+                  },
+                  error === "RequiresReconsent" ? { consent: true } : undefined,
+                );
+              }}
+            >
+              I agree
+            </Button>
+          </div>
+        </DialogContent>
+      </Dialog>
+
       <Button
         color="white"
         size="2xl"
diff --git a/apps/web/env.ts b/apps/web/env.ts
index 6618adc7f4..dfae4a8340 100644
--- a/apps/web/env.ts
+++ b/apps/web/env.ts
@@ -12,6 +12,9 @@ export const env = createEnv({
     GOOGLE_CLIENT_SECRET: z.string().min(1),
     GOOGLE_ENCRYPT_SECRET: z.string(),
     GOOGLE_ENCRYPT_SALT: z.string(),
+    MICROSOFT_CLIENT_ID: z.string().min(1),
+    MICROSOFT_CLIENT_SECRET: z.string().min(1),
+    MICROSOFT_ISSUER: z.string().default("common"),
     DEFAULT_LLM_PROVIDER: z
       .enum([
         "anthropic",
diff --git a/apps/web/public/images/microsoft.svg b/apps/web/public/images/microsoft.svg
new file mode 100644
index 0000000000..586f39ffb5
--- /dev/null
+++ b/apps/web/public/images/microsoft.svg
@@ -0,0 +1,35 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!-- Generator: Adobe Illustrator 23.0.1, SVG Export Plug-In . SVG Version: 6.00 Build 0)  -->
+<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
+<svg version="1.1" id="Livello_1" xmlns:x="http://ns.adobe.com/Extensibility/1.0/" xmlns:i="http://ns.adobe.com/AdobeIllustrator/10.0/" xmlns:graph="http://ns.adobe.com/Graphs/1.0/" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" x="0px" y="0px" viewBox="0 0 1831.085 1703.335" enable-background="new 0 0 1831.085 1703.335" xml:space="preserve">
+<path fill="#0A2767" d="M1831.083,894.25c0.1-14.318-7.298-27.644-19.503-35.131h-0.213l-0.767-0.426l-634.492-375.585  c-2.74-1.851-5.583-3.543-8.517-5.067c-24.498-12.639-53.599-12.639-78.098,0c-2.934,1.525-5.777,3.216-8.517,5.067L446.486,858.693  l-0.766,0.426c-19.392,12.059-25.337,37.556-13.278,56.948c3.553,5.714,8.447,10.474,14.257,13.868l634.492,375.585  c2.749,1.835,5.592,3.527,8.517,5.068c24.498,12.639,53.599,12.639,78.098,0c2.925-1.541,5.767-3.232,8.517-5.068l634.492-375.585  C1823.49,922.545,1831.228,908.923,1831.083,894.25z"/>
+<path fill="#0364B8" d="M520.453,643.477h416.38v381.674h-416.38V643.477z M1745.917,255.5V80.908  c1-43.652-33.552-79.862-77.203-80.908H588.204C544.552,1.046,510,37.256,511,80.908V255.5l638.75,170.333L1745.917,255.5z"/>
+<path fill="#0078D4" d="M511,255.5h425.833v383.25H511V255.5z"/>
+<path fill="#28A8EA" d="M1362.667,255.5H936.833v383.25L1362.667,1022h383.25V638.75L1362.667,255.5z"/>
+<path fill="#0078D4" d="M936.833,638.75h425.833V1022H936.833V638.75z"/>
+<path fill="#0364B8" d="M936.833,1022h425.833v383.25H936.833V1022z"/>
+<path fill="#14447D" d="M520.453,1025.151h416.38v346.969h-416.38V1025.151z"/>
+<path fill="#0078D4" d="M1362.667,1022h383.25v383.25h-383.25V1022z"/>
+<linearGradient id="SVGID_1_" gradientUnits="userSpaceOnUse" x1="1128.4584" y1="811.0833" x2="1128.4584" y2="1.9982" gradientTransform="matrix(1 0 0 -1 0 1705.3334)">
+	<stop offset="0" style="stop-color:#35B8F1"/>
+	<stop offset="1" style="stop-color:#28A8EA"/>
+</linearGradient>
+<path fill="url(#SVGID_1_)" d="M1811.58,927.593l-0.809,0.426l-634.492,356.848c-2.768,1.703-5.578,3.321-8.517,4.769  c-10.777,5.132-22.481,8.029-34.407,8.517l-34.663-20.27c-2.929-1.47-5.773-3.105-8.517-4.897L447.167,906.003h-0.298  l-21.036-11.753v722.384c0.328,48.196,39.653,87.006,87.849,86.7h1230.914c0.724,0,1.363-0.341,2.129-0.341  c10.18-0.651,20.216-2.745,29.808-6.217c4.145-1.756,8.146-3.835,11.966-6.217c2.853-1.618,7.75-5.152,7.75-5.152  c21.814-16.142,34.726-41.635,34.833-68.772V894.25C1831.068,908.067,1823.616,920.807,1811.58,927.593z"/>
+<path opacity="0.5" fill="#0A2767" enable-background="new    " d="M1797.017,891.397v44.287l-663.448,456.791L446.699,906.301  c0-0.235-0.191-0.426-0.426-0.426l0,0l-63.023-37.899v-31.938l25.976-0.426l54.932,31.512l1.277,0.426l4.684,2.981  c0,0,645.563,368.346,647.267,369.197l24.698,14.478c2.129-0.852,4.258-1.703,6.813-2.555  c1.278-0.852,640.879-360.681,640.879-360.681L1797.017,891.397z"/>
+<path fill="#1490DF" d="M1811.58,927.593l-0.809,0.468l-634.492,356.848c-2.768,1.703-5.578,3.321-8.517,4.769  c-24.641,12.038-53.457,12.038-78.098,0c-2.918-1.445-5.76-3.037-8.517-4.769L446.657,928.061l-0.766-0.468  c-12.25-6.642-19.93-19.409-20.057-33.343v722.384c0.305,48.188,39.616,87.004,87.803,86.7c0.001,0,0.002,0,0.004,0h1229.636  c48.188,0.307,87.5-38.509,87.807-86.696c0-0.001,0-0.002,0-0.004V894.25C1831.068,908.067,1823.616,920.807,1811.58,927.593z"/>
+<path opacity="0.1" enable-background="new    " d="M1185.52,1279.629l-9.496,5.323c-2.752,1.752-5.595,3.359-8.517,4.812  c-10.462,5.135-21.838,8.146-33.47,8.857l241.405,285.479l421.107,101.476c11.539-8.716,20.717-20.178,26.7-33.343L1185.52,1279.629  z"/>
+<path opacity="0.05" enable-background="new    " d="M1228.529,1255.442l-52.505,29.51c-2.752,1.752-5.595,3.359-8.517,4.812  c-10.462,5.135-21.838,8.146-33.47,8.857l113.101,311.838l549.538,74.989c21.649-16.254,34.394-41.743,34.407-68.815v-9.326  L1228.529,1255.442z"/>
+<path fill="#28A8EA" d="M514.833,1703.333h1228.316c18.901,0.096,37.335-5.874,52.59-17.033l-697.089-408.331  c-2.929-1.47-5.773-3.105-8.517-4.897L447.125,906.088h-0.298l-20.993-11.838v719.914  C425.786,1663.364,465.632,1703.286,514.833,1703.333C514.832,1703.333,514.832,1703.333,514.833,1703.333z"/>
+<path opacity="0.1" enable-background="new    " d="M1022,418.722v908.303c-0.076,31.846-19.44,60.471-48.971,72.392  c-9.148,3.931-19,5.96-28.957,5.962H425.833V383.25H511v-42.583h433.073C987.092,340.83,1021.907,375.702,1022,418.722z"/>
+<path opacity="0.2" enable-background="new    " d="M979.417,461.305v908.302c0.107,10.287-2.074,20.469-6.388,29.808  c-11.826,29.149-40.083,48.273-71.54,48.417H425.833V383.25h475.656c12.356-0.124,24.533,2.958,35.344,8.943  C962.937,405.344,979.407,432.076,979.417,461.305z"/>
+<path opacity="0.2" enable-background="new    " d="M979.417,461.305v823.136c-0.208,43-34.928,77.853-77.927,78.225H425.833V383.25  h475.656c12.356-0.124,24.533,2.958,35.344,8.943C962.937,405.344,979.407,432.076,979.417,461.305z"/>
+<path opacity="0.2" enable-background="new    " d="M936.833,461.305v823.136c-0.046,43.067-34.861,78.015-77.927,78.225H425.833  V383.25h433.072c43.062,0.023,77.951,34.951,77.927,78.013C936.833,461.277,936.833,461.291,936.833,461.305z"/>
+<linearGradient id="SVGID_2_" gradientUnits="userSpaceOnUse" x1="162.7469" y1="1383.0741" x2="774.0864" y2="324.2592" gradientTransform="matrix(1 0 0 -1 0 1705.3334)">
+	<stop offset="0" style="stop-color:#1784D9"/>
+	<stop offset="0.5" style="stop-color:#107AD5"/>
+	<stop offset="1" style="stop-color:#0A63C9"/>
+</linearGradient>
+<path fill="url(#SVGID_2_)" d="M78.055,383.25h780.723c43.109,0,78.055,34.947,78.055,78.055v780.723  c0,43.109-34.946,78.055-78.055,78.055H78.055c-43.109,0-78.055-34.947-78.055-78.055V461.305  C0,418.197,34.947,383.25,78.055,383.25z"/>
+<path fill="#FFFFFF" d="M243.96,710.631c19.238-40.988,50.29-75.289,89.17-98.495c43.057-24.651,92.081-36.94,141.675-35.515  c45.965-0.997,91.321,10.655,131.114,33.683c37.414,22.312,67.547,55.004,86.742,94.109c20.904,43.09,31.322,90.512,30.405,138.396  c1.013,50.043-9.706,99.628-31.299,144.783c-19.652,40.503-50.741,74.36-89.425,97.388c-41.327,23.734-88.367,35.692-136.011,34.578  c-46.947,1.133-93.303-10.651-134.01-34.067c-37.738-22.341-68.249-55.07-87.892-94.28c-21.028-42.467-31.57-89.355-30.745-136.735  C212.808,804.859,223.158,755.686,243.96,710.631z M339.006,941.858c10.257,25.912,27.651,48.385,50.163,64.812  c22.93,16.026,50.387,24.294,78.353,23.591c29.783,1.178,59.14-7.372,83.634-24.358c22.227-16.375,39.164-38.909,48.715-64.812  c10.677-28.928,15.946-59.572,15.543-90.404c0.33-31.127-4.623-62.084-14.649-91.554c-8.855-26.607-25.246-50.069-47.182-67.537  c-23.88-17.79-53.158-26.813-82.91-25.55c-28.572-0.74-56.644,7.593-80.184,23.804c-22.893,16.496-40.617,39.168-51.1,65.365  c-23.255,60.049-23.376,126.595-0.341,186.728L339.006,941.858z"/>
+<path fill="#50D9FF" d="M1362.667,255.5h383.25v383.25h-383.25V255.5z"/>
+</svg>
\ No newline at end of file
diff --git a/apps/web/utils/auth.ts b/apps/web/utils/auth.ts
index 5c5860c6eb..4f02dd63a8 100644
--- a/apps/web/utils/auth.ts
+++ b/apps/web/utils/auth.ts
@@ -4,13 +4,15 @@ import type { Prisma } from "@prisma/client";
 import type { NextAuthConfig, DefaultSession } from "next-auth";
 import type { JWT } from "@auth/core/jwt";
 import GoogleProvider from "next-auth/providers/google";
+import MicrosoftProvider from "next-auth/providers/microsoft-entra-id";
 import { createContact as createLoopsContact } from "@inboxzero/loops";
 import { createContact as createResendContact } from "@inboxzero/resend";
 import prisma from "@/utils/prisma";
 import { env } from "@/env";
 import { captureException } from "@/utils/error";
 import { createScopedLogger } from "@/utils/logger";
-import { SCOPES } from "@/utils/gmail/scopes";
+import { SCOPES as GOOGLE_SCOPES } from "@/utils/gmail/scopes";
+import { SCOPES as MICROSOFT_SCOPES } from "@/utils/microsoft/scopes";
 import { getContactsClient } from "@/utils/gmail/client";
 import { encryptToken } from "@/utils/encryption";
 import { updateAccountSeats } from "@/utils/premium/server";
@@ -28,7 +30,7 @@ export const getAuthOptions: (options?: {
       authorization: {
         url: "https://accounts.google.com/o/oauth2/v2/auth",
         params: {
-          scope: SCOPES.join(" "),
+          scope: GOOGLE_SCOPES.join(" "),
           access_type: "offline",
           response_type: "code",
           prompt: "consent",
@@ -40,6 +42,17 @@ export const getAuthOptions: (options?: {
         },
       },
     }),
+    MicrosoftProvider({
+      clientId: env.MICROSOFT_CLIENT_ID,
+      clientSecret: env.MICROSOFT_CLIENT_SECRET,
+      issuer: `https://login.microsoftonline.com/${env.MICROSOFT_ISSUER}/v2.0`,
+      authorization: {
+        // https://learn.microsoft.com/en-us/graph/permissions-overview
+        params: {
+          scope: MICROSOFT_SCOPES.join(" "),
+        },
+      },
+    }),
   ],
   // logger: {
   //   error: (error) => {
@@ -69,44 +82,78 @@ export const getAuthOptions: (options?: {
       try {
         // --- Step 1: Fetch Profile Info using Access Token ---
         if (data.access_token) {
-          const contactsClient = getContactsClient({
-            accessToken: data.access_token,
-          });
-          try {
-            const profileResponse = await contactsClient.people.get({
-              resourceName: "people/me",
-              personFields: "emailAddresses,names,photos",
+          if (data.provider === "google") {
+            const contactsClient = getContactsClient({
+              accessToken: data.access_token,
             });
-
-            primaryEmail = profileResponse.data.emailAddresses
-              ?.find((e) => e.metadata?.primary)
-              ?.value?.toLowerCase();
-            primaryName = profileResponse.data.names?.find(
-              (n) => n.metadata?.primary,
-            )?.displayName;
-            primaryPhotoUrl = profileResponse.data.photos?.find(
-              (p) => p.metadata?.primary,
-            )?.url;
-          } catch (profileError) {
-            logger.error("[linkAccount] Error fetching profile info:", {
-              profileError,
+            try {
+              const profileResponse = await contactsClient.people.get({
+                resourceName: "people/me",
+                personFields: "emailAddresses,names,photos",
+              });
+
+              primaryEmail = profileResponse.data.emailAddresses
+                ?.find((e) => e.metadata?.primary)
+                ?.value?.toLowerCase();
+              primaryName = profileResponse.data.names?.find(
+                (n) => n.metadata?.primary,
+              )?.displayName;
+              primaryPhotoUrl = profileResponse.data.photos?.find(
+                (p) => p.metadata?.primary,
+              )?.url;
+            } catch (profileError) {
+              logger.error(
+                "[linkAccount] Error fetching Google profile info:",
+                {
+                  profileError,
+                },
+              );
+              throw new Error("Failed to fetch Google profile info.");
+            }
+          } else if (data.provider === "microsoft-entra-id") {
+            // Use Microsoft Graph API to fetch profile
+            try {
+              const response = await fetch(
+                "https://graph.microsoft.com/v1.0/me",
+                {
+                  headers: {
+                    Authorization: `Bearer ${data.access_token}`,
+                  },
+                },
+              );
+              const profile = await response.json();
+              if (!response.ok)
+                throw new Error("Failed to fetch Microsoft profile");
+
+              primaryEmail =
+                profile.mail?.toLowerCase() ||
+                profile.userPrincipalName?.toLowerCase();
+              primaryName = profile.displayName;
+              primaryPhotoUrl = profile.photo
+                ? `https://graph.microsoft.com/v1.0/me/photo/$value`
+                : null;
+            } catch (profileError) {
+              logger.error(
+                "[linkAccount] Error fetching Microsoft profile info:",
+                {
+                  profileError,
+                },
+              );
+              throw new Error("Failed to fetch Microsoft profile info.");
+            }
+          } else {
+            logger.error("[linkAccount] Unsupported provider:", {
+              provider: data.provider,
             });
-            // Decide if this is fatal. Probably should be.
-            throw new Error(
-              "Failed to fetch profile info for linking account.",
-            );
+            throw new Error("Unsupported provider.");
           }
         } else {
-          logger.error(
-            "[linkAccount] No access_token found in data, cannot fetch profile.",
-          );
+          logger.error("[linkAccount] No access_token found in data.");
           throw new Error("Missing access token during account linking.");
         }
 
         if (!primaryEmail) {
-          logger.error(
-            "[linkAccount] Primary email could not be determined from profile.",
-          );
+          logger.error("[linkAccount] Primary email could not be determined.");
           throw new Error("Primary email not found for linked account.");
         }
 
@@ -175,6 +222,7 @@ export const getAuthOptions: (options?: {
               expires_at: calculateExpiresAt(
                 account.expires_in as number | undefined,
               ),
+              provider: account.provider,
             },
             accountRefreshToken: account.refresh_token,
             providerAccountId: account.providerAccountId,
@@ -185,7 +233,7 @@ export const getAuthOptions: (options?: {
             where: {
               provider_providerAccountId: {
                 providerAccountId: account.providerAccountId,
-                provider: "google",
+                provider: account.provider, // Suport for multiple providers; e.g. google, microsoft-entra-id
               },
             },
             select: { refresh_token: true },
@@ -310,11 +358,15 @@ export const authOptions = getAuthOptions();
  */
 const refreshAccessToken = async (token: JWT): Promise<JWT> => {
   const account = await prisma.account.findFirst({
-    where: { userId: token.sub as string, provider: "google" },
+    where: {
+      userId: token.sub as string,
+      provider: token.provider || "google",
+    },
     select: {
       userId: true,
       refresh_token: true,
       providerAccountId: true,
+      provider: true,
     },
   });
 
@@ -338,21 +390,41 @@ const refreshAccessToken = async (token: JWT): Promise<JWT> => {
   logger.info("Refreshing access token", { email: token.email });
 
   try {
-    const response = await fetch("https://oauth2.googleapis.com/token", {
-      headers: { "Content-Type": "application/x-www-form-urlencoded" },
-      body: new URLSearchParams({
-        client_id: env.GOOGLE_CLIENT_ID,
-        client_secret: env.GOOGLE_CLIENT_SECRET,
-        grant_type: "refresh_token",
-        refresh_token: account.refresh_token,
-      }),
-      method: "POST",
-    });
+    let response;
+    if (account.provider === "google") {
+      response = await fetch("https://oauth2.googleapis.com/token", {
+        headers: { "Content-Type": "application/x-www-form-urlencoded" },
+        body: new URLSearchParams({
+          client_id: env.GOOGLE_CLIENT_ID,
+          client_secret: env.GOOGLE_CLIENT_SECRET,
+          grant_type: "refresh_token",
+          refresh_token: account.refresh_token,
+        }),
+        method: "POST",
+      });
+    } else if (account.provider === "microsoft-entra-id") {
+      response = await fetch(
+        `https://login.microsoftonline.com/${env.MICROSOFT_ISSUER}/oauth2/v2.0/token`,
+        {
+          headers: { "Content-Type": "application/x-www-form-urlencoded" },
+          body: new URLSearchParams({
+            client_id: env.MICROSOFT_CLIENT_ID,
+            client_secret: env.MICROSOFT_CLIENT_SECRET,
+            grant_type: "refresh_token",
+            refresh_token: account.refresh_token,
+            scope: MICROSOFT_SCOPES.join(" "),
+          }),
+          method: "POST",
+        },
+      );
+    } else {
+      throw new Error("Unsupported provider for token refresh");
+    }
 
     const tokens: {
       expires_in: number;
       access_token: string;
-      refresh_token: string;
+      refresh_token?: string;
     } = await response.json();
 
     if (!response.ok) throw tokens;
@@ -409,6 +481,7 @@ export async function saveTokens({
     access_token?: string;
     refresh_token?: string;
     expires_at?: number;
+    provider?: string; // e.g. google, microsoft-entra-id
   };
   accountRefreshToken: string | null;
 } & ( // provide one of these:
@@ -435,6 +508,7 @@ export async function saveTokens({
     access_token: tokens.access_token,
     expires_at: tokens.expires_at,
     refresh_token: refreshToken,
+    provider: tokens.provider || "google", // Default to google if not provided
   };
 
   if (emailAccountId) {
@@ -464,7 +538,7 @@ export async function saveTokens({
     return await prisma.account.update({
       where: {
         provider_providerAccountId: {
-          provider: "google",
+          provider: data.provider || "google",
           providerAccountId,
         },
       },
diff --git a/apps/web/utils/microsoft/scopes.ts b/apps/web/utils/microsoft/scopes.ts
new file mode 100644
index 0000000000..fc324df27e
--- /dev/null
+++ b/apps/web/utils/microsoft/scopes.ts
@@ -0,0 +1,12 @@
+import { env } from "@/env";
+
+export const SCOPES = [
+  "openid",
+  "profile",
+  "email",
+  "User.Read",
+  "offline_access",
+  "Mail.ReadWrite",
+  "MailboxSettings.ReadWrite",
+  ...(env.NEXT_PUBLIC_CONTACTS_ENABLED ? ["Contacts.ReadWrite"] : []),
+];

From d34b91545048e1dd884bd683f0180ad7a4008b7c Mon Sep 17 00:00:00 2001
From: Guilherme Filipe <guilherme.filipe@tecnico.ulisboa.pt>
Date: Fri, 6 Jun 2025 03:39:57 +0100
Subject: [PATCH 2/2] fix: overlooked outlook-related dependencies

---
 apps/web/env.ts                                 | 6 +++---
 apps/web/package.json                           | 1 +
 apps/web/utils/auth.ts                          | 2 +-
 apps/web/utils/{microsoft => outlook}/scopes.ts | 4 ++++
 4 files changed, 9 insertions(+), 4 deletions(-)
 rename apps/web/utils/{microsoft => outlook}/scopes.ts (77%)

diff --git a/apps/web/env.ts b/apps/web/env.ts
index dfae4a8340..f0e6bf2a7c 100644
--- a/apps/web/env.ts
+++ b/apps/web/env.ts
@@ -8,13 +8,13 @@ export const env = createEnv({
     DATABASE_URL: z.string().url(),
     NEXTAUTH_SECRET: z.string().min(1),
     NEXTAUTH_URL: z.string().optional(),
+    MICROSOFT_CLIENT_ID: z.string().min(1),
+    MICROSOFT_CLIENT_SECRET: z.string().min(1),
+    MICROSOFT_ISSUER: z.string().default("common"),
     GOOGLE_CLIENT_ID: z.string().min(1),
     GOOGLE_CLIENT_SECRET: z.string().min(1),
     GOOGLE_ENCRYPT_SECRET: z.string(),
     GOOGLE_ENCRYPT_SALT: z.string(),
-    MICROSOFT_CLIENT_ID: z.string().min(1),
-    MICROSOFT_CLIENT_SECRET: z.string().min(1),
-    MICROSOFT_ISSUER: z.string().default("common"),
     DEFAULT_LLM_PROVIDER: z
       .enum([
         "anthropic",
diff --git a/apps/web/package.json b/apps/web/package.json
index 166cceecfe..625369b92a 100644
--- a/apps/web/package.json
+++ b/apps/web/package.json
@@ -34,6 +34,7 @@
     "@lemonsqueezy/lemonsqueezy.js": "4.0.0",
     "@mdx-js/loader": "3.1.0",
     "@mdx-js/react": "3.1.0",
+    "@microsoft/microsoft-graph-client": "^3.0.7",
     "@next/mdx": "15.3.0",
     "@next/third-parties": "15.3.0",
     "@openrouter/ai-sdk-provider": "0.4.5",
diff --git a/apps/web/utils/auth.ts b/apps/web/utils/auth.ts
index 4f02dd63a8..6c88a6f173 100644
--- a/apps/web/utils/auth.ts
+++ b/apps/web/utils/auth.ts
@@ -12,7 +12,7 @@ import { env } from "@/env";
 import { captureException } from "@/utils/error";
 import { createScopedLogger } from "@/utils/logger";
 import { SCOPES as GOOGLE_SCOPES } from "@/utils/gmail/scopes";
-import { SCOPES as MICROSOFT_SCOPES } from "@/utils/microsoft/scopes";
+import { SCOPES as MICROSOFT_SCOPES } from "@/utils/outlook/scopes";
 import { getContactsClient } from "@/utils/gmail/client";
 import { encryptToken } from "@/utils/encryption";
 import { updateAccountSeats } from "@/utils/premium/server";
diff --git a/apps/web/utils/microsoft/scopes.ts b/apps/web/utils/outlook/scopes.ts
similarity index 77%
rename from apps/web/utils/microsoft/scopes.ts
rename to apps/web/utils/outlook/scopes.ts
index fc324df27e..9f981807a8 100644
--- a/apps/web/utils/microsoft/scopes.ts
+++ b/apps/web/utils/outlook/scopes.ts
@@ -7,6 +7,10 @@ export const SCOPES = [
   "User.Read",
   "offline_access",
   "Mail.ReadWrite",
+  "Mail.Send",
+  "Mail.ReadBasic",
+  "Mail.Read",
+  "Mail.ReadBasic.All",
   "MailboxSettings.ReadWrite",
   ...(env.NEXT_PUBLIC_CONTACTS_ENABLED ? ["Contacts.ReadWrite"] : []),
 ];