I’ve had a go recently at looking at Spring Boot OAuth2 and how easy it is implementing a sign in with Microsoft using OAUTH2. My findings were surprising and justified I think this blog post. More importantly I think it explains why Microsoft has such little “pull” with developers nowadays. (Sure they are trying to change that through acquisitions such as GitHub and LinkedIn and tools such as VSCode but they are just scratching the surface really.)
It has to be said the difficulty of implementing something like “Login with Microsoft” comes not from the coding (Spring Boot does a great job of doing the heavy lifting here) but rather from the setup/ configuration, which was the surprising part for me. And also, it has to be noted that we are not talking here getting an app up and running in a production environment, I get there are a lot of other implications in that — including security, legal and even financial; no, we are talking about getting something up and running locally on my laptop here, so “development mode” if you will.
Google makes it very easy if you want to implement a “Sign in with Google” in your web app: you create a developer profile then create an app setup in the developer console and you can be up and running on your local machine in about 10 minutes, all free, all self-serve. Google takes it even further in fact and it allows you to go live with an app like that in production but with a few restrictions: they prompt the user that your app hasn’t been verified by them and limits your app to only something like 100 google accounts and a rate limit to their APIs , however they allow you to quickly get to the point you can test your app even in a live scenario but with limitations. All of this in a matter of minutes and free.
Now to have a “Login with Microsoft” in your web app you need first to create an account with Microsoft Azure — this made sense, as with Google I had to create an account for their Google Cloud too (however they just did a good job of separating the OAuth2 part in their console). So I created an account with Azure, seemed pretty straightforward and was free. Then I thought “ok now I can create my web app setup and run with it” …
Wrong! Next I had to create a “tenancy” in Azure (I’m still not sure I fully understand what that is). But I went ahead and created one. It was free however I ended up with a very complex screen in front of me at the end.
(Side note: Microsoft seems to have not outgrown the MSDN era when they used to ship tons of documentation CDs and DVDs to engineering companies every quarter and these companies had to read and understand them if they wanted to build solutions on Microsoft platform; and back then Windows was the major platform on everyone’s workstation so engineers had no other choise but to ingest these. Nowadays we have the web, so not sure how important it is having a Microsoft Windows on your screen.)
Anyway after the tenancy bit I could finally create an app configuration in Azure , equally easy as the google process to be fair. From there I could configure the scope and the client secrets and then I was off…
… or so I thought! Having configured all of this and done the equivalent configuration in spring boot I tried to log into my web app with one of the @outlook.com accounts I’ve created for testing purposes. And I found out that actually the way my web app is set up I can only log in with accounts set up in the tenancy I’ve created! That means that only users I create myself in my tenancy (email addresses under my @xyz.onmicrosoft.com) can log into my web app! Which is not what I wanted, I wanted to be able to allow anyone with a Microsoft account (think anyone with a @hotmail.com account or @outlook.com account etc) could log in. So I go through the Microsoft (ample!) docs and find out that to do that I need a license (probably one of Microsoft favorite words) for something called “Azure AD B2C”. I tried to figure out the pricing for it but I couldn’t and so abandoned the idea on the basis that it’s probably expensive. (Any consumer company trying to get users to sign up to a recurring contract worth $10/month or less are touting this all over their website and makes the pricing clear; since I couldn’t get to any idea of a price I concluded it must be expensive, probably “enterprise account “ style — which seems to be yet another favorite for Microsoft).
I thought still for the purpose of testing I can create a couple of accounts in my damn tenancy and test with those and likely the process (in terms of interacting with my code) will be the same for someone outside my tenancy will be the same (obviously plus the license I would have to cough up for this). So I went and created a couple of accounts in my tenancy and then went on to try to log in with them in my web app.
I got prompted on first login that I have to change my password; fair enough it made sense — I’m a bit annoyed as these are test accounts really but whatever I go ahead and change password. Ok now can I log into my app with this account?
Errr no! I get informed that my tenancy apparently requires 2FA. Ok I tell myself that tenancy screen was pretty complicated so I probably did that myself so decided to go ahead and setup 2FA thinking I’ll just give my phone number and use text / SMS 2FA. Wrong again: I have to install a Microsoft Authenticator on my phone , and configure the account on my phone to be able to do that! At which point I decided this is overkill (by comparison I must have about 20+ Gmail test accounts set up, and must have forgotten password for about half of them, whatever, Google makes it easy to set an account up and not use 2FA, which is a great feature if you want to test things). So I thought let me go back to my Azure tenancy setup, there’s probably a setting there I missed to NOT enforce 2FA for the accounts in my tenancy.
I spend some time in the tenancy screen and way more time reading the documentation and finally find out that if I want to turn off 2FA I need a license (did I mention before that Microsoft loves this word?) for something or other which will allow me to configure security policies and standards for the tenancy. Hmmm trying to research pricing on that gives me nothing so I conclude again (see above) that it must be expensive.
I finally find a way to configure this such that 2FA is enforced (can’t change that) but I can set a grace period of 2 weeks for my users to configure it. This effectively gives me 2 weeks for each test account on my tenancy where I don’t have to configure 2FA — but I have to go each time I log into anything with each account through a lot of annoying screens where I am prompted to set it up.
I get finally to test my web app with sign in with Microsoft and it works — like I said the code part was easy!
However at the end of this process I’m frustrated and I realize that any product that wants to implement this sign in with Microsoft faces a lot of friction:
- There is no sympathy for the developer in the process it seems; this likely leads to a lot of developers giving up in the process. Which in turn leads to a very small ecosystem for Microsoft and as such this limits their opportunities for growth – Apple, Google, Samsung, Amazon realized enabling and creating such ecosystems strengthens their position in the market and increase their monetizing strategies. Microsoft still thinks in terms of making developers pay rather than cashing in on the consumer side and maths work against them : sure 1MM developers paying $10k a year is great but 2BN consumers paying $100 a year is better!
- Putting aside the finances, the friction for getting something off the ground with Microsoft is huge! To the point where only an enterprise will invest in this platform . If you have time and patience to dedicate to all the complicated screens and large amounts of documentation engineers need to read to achieve something simple sure go ahead with Microsoft but if you’re a lean organization (read startup) you are going to look for alternatives. (To re-iterate: I didn’t do this because I had to, but rather because I was curious about how hard it is to do so!)
- Lastly in hindsight the fact that Spring Boot does not support Microsoft out of the box is telling: their code works with Microsoft, but there is a huge deal of work (and money) to set up the rest! And most engineers do not have to deal with Microsoft because most products being developed are not building for Microsoft platforms! “Login with Microsoft” is on very few apps radars (I’m guessing “enterprise” apps); they have become insignificant to the point where supporting something like this is an edge case!
- On that point about “enterprise development”, this is something that Microsoft has nailed since back in the day and they seem to stick to it. I suspect it is a good revenue generator — which is great for business. Oracle, IBM, HP all these guys operate in this space and while not the first name that springs to an engineer mind (for tooling, “friendliness” and such) they make a good fortune out of it. As such, I am guessing really “Login with Microsoft” is something solely for the realm of enterprise apps, at which point all the frustrations above make sense: it’s not something a startup trying to get a product off the ground will gladly undertake (and pay for!) unless that is their market. This limits their user exposure to only those using enterprise apps as well as their developer exposure — to only those devs working on enterprise apps. It’s a somewhat niche market (albeit a large niche) which probably monetizes well. The problem is though competition in there is pretty big still (see my comments earlier about IBM, HP etc) and even in this market the big names are being challenged by (and often lose to) companies which bring in more developer empathy and user friendliness. (Quick example that springs to mind here is Okta for example.)
I did a bit of research also with regards to the user adoption of these 2 services and here’s what I found (note this is based on google search results, some results are about 2-3 years old dating back to 2018 so the figures are not that precise but I think they paint a good picture in terms of order of magnitude and percentages rather than absolute numbers):
- Microsoft Hotmal/Outlook total users: about 400 million
- Companies using Microsoft AD (which is needed for “Login with Microsoft”): about 25k
- Companies using Microsoft Exchange : about 65k — I’m including these as I think it’s a safe guess that these companies will eventually implement something like “Login with Microsoft” in their enterprise.
- So let’s say for argument’s sake that overall companies implementing “Login with Microsoft” in their enterprises is around 100k. And let’s say that each one of these enterprises has 100 users / employees — this lands us at around 10 million users. Even if we are generous here and assume 500 users / such enterprise, we get 50 million enterprise users.
- TOTAL : about 450 million users which could benefit from “Login with Microsoft”
- Google Gmail: 1.5 billion
- Companies adopting (and paying for) Google Workspace (which includes Google Mail for enterprise amongst many others and allows for “Sign in with Google”) is around 5 million. Let’s say that these companies each has 2 employees — this lands us at around 10 million users. Let’s be generous here and choose an average of not 5X as in the case of Microsoft but 2X (i.e. 4 users / such company) — this lends us at 60 million users.
- Total: about 1.5-1.6 billion users
As a conclusion to this (long) blog post: supporting “Login with Microsoft” is pretty easy at code level — though due to the big price you would have to pay in terms of setup (both in terms of effort/time as well as money!) I would advice you to only do so if you are working on an app in an enterprise environment, that to me is the only environment that would justify such an endeavor.