Secure Multi-User Microsoft Auth for Automation Workflows

After spending considerable time exploring automation platforms and the challenges they face with Microsoft 365 integrations, we've developed a solution that addresses one of the most persistent pain points in the automation space: multi-user credential management.

MS Auto Auth 365, a self-hosted application that fundamentally changes how organisations approach automation workflows involving Microsoft services.

What the Application Does

At its core, this platform serves as a centralised authentication hub for Microsoft 365 services, designed specifically to solve the token management challenges that plague modern automation workflows.

The application handles OAuth token lifecycle management for multiple users across your organisation, providing a secure API that automation tools can leverage without requiring individual credential setup for each workflow. Rather than storing Microsoft credentials directly in tools like n8n, Make or Zapier, your automation workflows connect to this central platform to retrieve fresh, valid tokens as needed.

Here's what makes it particularly clever: the platform manages tokens for both Microsoft Graph API and SharePoint API access, with configurable scopes defined in the .env.example file:

# Microsoft Graph scopes
MS_GRAPH_SCOPES=openid,offline_access,profile,email,User.Read,Mail.Read,Mail.Send,Calendars.Read,Chat.ReadWrite,ChatMessage.Send,OnlineMeetings.Read,OnlineMeetingTranscript.Read.All,Chat.ReadWrite.All,Files.Read.All,Sites.Read.All

# SharePoint scopes  
MS_SHAREPOINT_SCOPES=AllSites.Read,MyFiles.Read,Sites.Search.All,Sites.Selected,User.Read.All

The system automatically handles token refresh cycles, ensuring your automation workflows never fail due to expired credentials—a common frustration point I've encountered with direct OAuth integrations.

Intended Purpose

The problem this platform solves is both common and significant: enabling secure, scalable multi-user Microsoft 365 automation without the complexity of individual credential management.

Traditional automation setups face several critical limitations:

Limited User Context: Automations typically run under a single service account, losing the ability to act on behalf of specific users
Maintenance Overhead: Tokens expire, credentials change, and manual intervention becomes a constant requirement
Security Risks: Storing individual user credentials across multiple automation platforms creates security vulnerabilities
Scalability Issues: Adding new users or workflows becomes increasingly complex as your automation ecosystem grows

This platform transforms that paradigm entirely. As detailed in the README.md, it provides:

"A centralised, secure hub for managing OAuth tokens across your organisation. Users authenticate once through standard Microsoft OAuth flows, and automation tools access these tokens via a secure API."

The architecture creates a robust Express.js server that handles the complex OAuth flows while exposing a simple, secure API for your automation tools to consume.

Key Features

User Management & Role-Based Access Control

The system implements a sophisticated RBAC model supporting two primary roles:

Admin Role: Full system access, user management capabilities, and unrestricted API access
User Role: Access to personal tokens and controlled API permissions

The first user to authenticate automatically receives admin privileges.

API Access

When you purchase the platform, you're getting access to a production-ready REST API designed specifically for automation workflows. Here's what your tools can access:

Core Token Retrieval API

GET /api/external/tokens

This is the heart of the system, your automation tools call this endpoint to retrieve fresh, valid Microsoft tokens for any user in your organisation.

Key Features:

Returns encrypted access tokens for all connected Microsoft accounts
Role-based filtering (regular users see only their tokens, admins see everything)
Automatic token refresh handling—you never get expired tokens
Support for both Microsoft Graph and SharePoint APIs

Query Parameters:

# Filter by specific user (admin only)
?userId=user-123

# Filter by email address (admin only)  
?email=john@company.com

# Get tokens for specific account
?accountId=account-456

Example Response:

{
  "accounts": [
    {
      "id": "account-id",
      "userId": "user-id", 
      "provider": "microsoft",
      "tenantId": "your-tenant",
      "accessToken": {
        "type": "Buffer",
        "data": [/* encrypted token data */]
      },
      "refreshToken": {
        "type": "Buffer", 
        "data": [/* encrypted refresh token */]
      },
      "expiresAt": "2024-01-01T00:00:00Z",
      "scope": ["User.Read", "Mail.Send", "..."],
      "status": "ACTIVE"
    }
  ]
}

The beauty of this approach; Your automation workflows never need to worry about token expiry, refresh cycles, or OAuth complexity. They just call this endpoint and get working tokens.

Token Decryption Integration

The platform returns encrypted tokens for security. If you self-host n8n, we recommend adding your token encryption key as an environment variable in your n8n stack. Here's how to integrate with n8n:

N8N Integration Example

To decrypt tokens, use the following code snippet in a code node:

const crypto = require('crypto');

// TOKEN_KEY (same as in your .env file)
const TOKEN_KEY = '<your-encryption-key>';

// Generate encryption key from TOKEN_KEY
const encryptionKey = crypto.createHash('sha256').update(TOKEN_KEY).digest();

// Store results
let results = [];

for (const item of items) {
  const accounts = item.json.accounts || [];
  
  for (const account of accounts) {
    try {
      // Ensure the accessToken and its data are defined
      if (!account.accessToken?.data || !Array.isArray(account.accessToken.data)) continue;

      // Create buffer from token data
      const encryptedBuffer = Buffer.from(account.accessToken.data);

      // Extract IV and encrypted content
      const iv = encryptedBuffer.slice(0, 16);
      const encryptedContent = encryptedBuffer.slice(16);

      // Decrypt the token
      const decipher = crypto.createDecipheriv('aes-256-cbc', encryptionKey, iv);
      let decryptedToken = decipher.update(encryptedContent, null, 'utf8');
      decryptedToken += decipher.final('utf8');

      // Add to results
      results.push({
        json: {
          accessToken: decryptedToken,
          userId: account.userId,
          provider: account.provider,
          tenantId: account.tenantId,
        }
      });
    } catch (error) {
      // Optionally push error details for debugging
      results.push({
        json: {
          error: `Failed to decrypt token for provider ${account.provider}`,
          details: error.message
        }
      });
    }
  }
}

return results;

Token Lifecycle Management

Perhaps the most sophisticated aspect is the automatic token refresh system. The system implements a comprehensive refresh mechanism that:

Monitors token expiration with configurable buffer periods
Automatically refreshes tokens using stored refresh tokens
Updates token status in the database
Handles refresh failures gracefully with appropriate error states

The cron job system in the system ensures tokens are refreshed every 45 minutes, preventing expiration-related failures.

Multi-Tenant Support

The platform elegantly handles multiple SharePoint and Microsoft 365 tenants through a dynamic scope generation system.

Security Model

The security implementation is particularly impressive, employing multiple layers of protection across the entire stack.

Frontend Security

The Next.js frontend implements several robust security measures to ensure safe and reliable interaction with the platform:

Microsoft OAuth Sign-In
Users authenticate via Microsoft’s secure OAuth 2.0 flow. This ensures that all login activity occurs through Microsoft’s identity platform, which provides built-in protections like multi-factor authentication (MFA), conditional access policies, and suspicious sign-in detection.
Upon successful login, a short-lived access token and refresh token are issued and securely stored by the backend.
Session Management via Secure Cookies
All authentication cookies are flagged as HttpOnly, Secure, and SameSite=Strict, and are transmitted exclusively over HTTPS. This ensures tokens are inaccessible to JavaScript, protected from interception, and bound to same-site requests only.
CSRF Protection
The frontend uses the csrf-fetch utility to automatically handle CSRF tokens for all state-changing requests. This ensures that only requests originating from the app’s own UI are accepted by the backend, preventing malicious third-party request injection.
Input Validation
All user inputs on the frontend are validated before being sent to the backend using a strict schema-based approach. This prevents malformed or malicious payloads from reaching the server, enhancing both security and data integrity.
Domain Enforcement
The frontend only permits sign-ins from users associated with approved Microsoft tenants or email domains (e.g. @company.com), defined via the ALLOWED_DOMAINS setting and your Azure app registration. This ensures only authorised users from within your organisation can access the system.

Backend Security

The Express.js backend applies strong encryption and access control mechanisms to protect sensitive data throughout the authentication flow.

Token Encryption

Access and refresh tokens are never stored in plaintext. Instead, the platform uses AES-256-CBC encryption with best-practice safeguards:

A cryptographic key is derived from a SHA-256 hash of the TOKEN_KEY environment variable.
A random IV (initialisation vector) is generated for each encryption, ensuring unique ciphertext even for identical input.
The IV and encrypted token are combined into a single binary buffer for easy and secure storage.

Tokens are only encrypted and stored — decryption is not performed by the backend. Instead, encrypted tokens are returned to authorised external platforms (e.g., n8n), which then decrypt them locally using the shared TOKEN_KEY. This ensures the backend remains stateless and avoids holding plaintext credentials in memory.

Authentication & API Security

JWT Middleware: All internal API routes are protected by a JWT-based middleware that supports both header and cookie-based authentication.
Role-Based Access Control: API access is governed by user roles (admin or user), ensuring that users can only access their own tokens while admins can query across accounts.
Hashed API Keys: External API access is protected by SHA-256–hashed API keys stored securely in the database.

Database & Operational Security

Sensitive fields such as encrypted tokens are securely stored using Prisma ORM with strict schema definitions.
Environment variables are used for all secrets, with no hardcoded credentials in the codebase.
The platform supports TLS connections for encrypted data-in-transit where applicable.

Authentication Middleware: The authenticateJWT provides robust JWT authentication with both header and cookie-based token support.

External API Security

The platform implements multiple security layers for external API access:

API Key Authentication: SHA-256 hashed API keys stored securely
Role-Based Access Control: API endpoints enforce user permissions based on roles

Deployment Guide (Docker)

The platform is designed for straightforward Docker deployment using the provided docker-compose.yml configuration.

Prerequisites

Docker and Docker Compose installed
Microsoft Azure application registration

Step-by-Step Deployment

1. Clone and Configure

git clone [repository-url provided on purchase]
cd microsoft-auth
cp .env.example .env

2. Configure Environment Variables

The .env.example file provides comprehensive configuration options. Key variables include:

# Application Environment
NODE_ENV=production
ENABLE_DEBUG_ROUTES=false
LOG_LEVEL=warn

# CSRF protection
ENABLE_CSRF=true

# Database Configuration
POSTGRES_USER=auth_user
POSTGRES_PASSWORD=auth_pass
POSTGRES_DB=auth_db
POSTGRES_PORT=5432
SERVER_PORT=3000
PRISMA_PORT=5555
POSTGRES_HOST=production-db-host
DATABASE_URL=postgres://${POSTGRES_USER}:${POSTGRES_PASSWORD}@${POSTGRES_HOST}:${POSTGRES_PORT}/${POSTGRES_DB}

# Security
TOKEN_KEY=generate-a-secure-64-byte-random-string
JWT_SECRET=generate-a-secure-jwt-secret

# Microsoft Azure AD
AZURE_CLIENT_ID=your-azure-client-id
AZURE_CLIENT_SECRET=your-azure-client-secret
AZURE_REDIRECT_URI=https://your-production-domain.com/api/oauth/microsoft/callback

# Microsoft Authentication Scopes
# Comma-separated list of scopes to request during Microsoft Graph authentication
MS_GRAPH_SCOPES=openid,offline_access,profile,email,User.Read,Mail.Read,Mail.Send,Calendars.Read,Chat.ReadWrite,ChatMessage.Send,OnlineMeetings.Read,OnlineMeetingTranscript.Read.All,Chat.ReadWrite.All,Files.Read.All,Sites.Read.All
# Comma-separated list of SharePoint scopes (without the tenant prefix)
MS_SHAREPOINT_SCOPES=AllSites.Read,MyFiles.Read,Sites.Search.All,Sites.Selected,User.Read.All

# Frontend Configuration
NEXT_PUBLIC_API_BASE_URL=https://your-api-domain.com/api
WEB_APP_URL=https://your-frontend-domain.com
COOKIE_DOMAIN=.your-domain.com

# Docker Configuration
COMPOSE_PROJECT_NAME=production-stack-name

3. Azure Application Setup

Configure your Azure application registration with:

Redirect URI: https://your-domain.com/api/oauth/microsoft/callback
Required API Permissions: As defined in the MS_GRAPH_SCOPES and MS_SHAREPOINT_SCOPES variables

4. Deploy with Docker Compose

docker compose up -d --build

The docker-compose.yml configuration provides:

PostgreSQL Database: Persistent storage with health checks
Express.js Backend: API server with automatic migration handling
Next.js Frontend: Web interface served on port 4000
Networking: Internal Docker network for secure service communication

5. Initial Access

Access the platform at http://localhost:4000 (or your configured domain). The first user to authenticate will automatically receive administrator privileges.

Production Considerations

For production deployment, consider:

Reverse Proxy: Use nginx or CloudFlare for SSL termination
Database Backup: Implement automated PostgreSQL backups
Monitoring: Add health check endpoints and logging
Scaling: Deploy behind a load balancer for high availability

How to Access the Application

The MS Auto Auth 365 solution is available as a commercial solution with a unique access model designed for enterprise customers.

Acquisition Process

Pricing: The platform is available for an introductory price of £249, providing excellent value for enterprise-grade token management capabilities.

Purchase and Access:

Upon purchase, you receive a unique product key via email
The key grants access to the private GitHub repository containing the complete source code
Repository access includes full documentation, deployment guides, and ongoing updates
Access is tied to your verified GitHub account for security

Repository Access Benefits

Your product key provides:

Full Source Code Access: Complete visibility into the platform's implementation
Documentation and Guides: Comprehensive deployment and integration documentation
Updates and Improvements: Ongoing access to platform enhancements
Community Support: Issue tracking and community discussions

As stated in the LICENSE.md:

"Your validated product key grants you read-only access to the private GitHub repository containing the Software. This access includes full source code for review and customisation, documentation and deployment guides, updates and improvements during your license term."

Licence Summary

The platform operates under a comprehensive commercial licence that balances protection of intellectual property with practical business usage rights.

Permitted Uses

Internal Business Operations: Deploy and use the software within your organisation for internal automation workflows and Microsoft 365 integration.

Software as a Service (SaaS): Incorporate the platform into SaaS applications you develop, provided it remains integrated within your broader solution.

Consultancy Use: Development agencies and consultancies may deploy the software for client projects as part of custom solutions, with specific guidelines for source code access.

Key Restrictions

No Redistribution: The software cannot be distributed, resold, or sublicensed as a standalone product
No Source Code Distribution: Source code access is restricted to legitimate business purposes within your organisation
Attribution Requirements: Public-facing applications must include appropriate attribution

Support and Compliance

The licence includes:

Repository Updates: Access to software updates and improvements
Community Support: Support through GitHub issues and the nocodecreative.io community discussions
Validation Requirements: Product keys must remain active for continued access

Commercial Use Clarifications

The licence explicitly permits:

Enterprise Deployment: Large-scale deployments across multiple departments and locations
Revenue Generation: No restrictions on revenue from services incorporating the software
Multi-Client Use: Consultancies may use a single licence for multiple client projects

As noted in the licence: "This License strikes a balance between protecting our intellectual property while enabling you to build sophisticated automation solutions that drive real business value."

Final Thoughts

The MS Auto Auth 365 solution represents a thoughtful solution to a genuine problem in the automation space.

For organisations struggling with Microsoft 365 automation complexity, this platform offers a path to centralised, secure token management that scales with your automation needs. The combination of enterprise-grade security, comprehensive API access, and straightforward deployment makes it a compelling solution for teams serious about automation infrastructure.

The £249 price point, coupled with full source code access and ongoing updates, provides excellent value for what could otherwise require significant internal development resources to achieve the same level of security and reliability

Get Instant Access to MS Auto Auth 365 →

Purchase Now