From 65a7c2e0c2b0f0ea88705e6eec4ff4b3d4b0f482 Mon Sep 17 00:00:00 2001
From: Jesper Madsen <jesper.a.madsen@gmail.com>
Date: Fri, 24 Oct 2025 10:36:50 +0200
Subject: [PATCH 1/7] specify default claim name if none is added

---
 .../project-features/external-login-providers.md       | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)
diff --git a/umbraco-cloud/begin-your-cloud-journey/project-features/external-login-providers.md b/umbraco-cloud/begin-your-cloud-journey/project-features/external-login-providers.md
index ff0517558b0..88c3072ebf8 100644
--- a/umbraco-cloud/begin-your-cloud-journey/project-features/external-login-providers.md
+++ b/umbraco-cloud/begin-your-cloud-journey/project-features/external-login-providers.md
@@ -177,7 +177,15 @@ The **alias** must be unique across different login providers in the same enviro
 
 Learn about what type of data and information you need for each field in the configuration form.
 
-<table><thead><tr><th width="227">Field</th><th>Description</th><th>Formatting</th></tr></thead><tbody><tr><td>Alias</td><td>A unique alias for the provider.</td><td><p>Use only lower-case.</p><p>Spaces are not allowed.</p></td></tr><tr><td>Client Id</td><td>A unique Client ID generated in the external login provider.</td><td>Entra ID: Guid<br>Auth0: Random characters<br>Google: <code>{randomchars}.apps.googleusercontent.com</code></td></tr><tr><td>Client Secret</td><td>A secret that is generated in the External Login Provider and is associated with the Client Id.</td><td></td></tr><tr><td>Authority</td><td>The URL for the External Login Provider. This can be found in the External Login Provider.</td><td>Entra ID: <code>https://login.microsoftonline.com/&#x3C;Directory (tenant)></code><br>Auth0: <code>https://{accountId}.uk.auth0.com</code><br>Google: <code>https://accounts.google.com</code></td></tr><tr><td>Scopes</td><td>These are OpenID-Connect scopes. These are the minimum requirement and will allow the app to authenticate and get the users profile data, email and name.</td><td>Default values: <code>openid</code>, <code>profile</code> and <code>email</code>.</td></tr><tr><td>Auth Type</td><td>Currently only OpenIDConnect is available.</td><td>Default: <code>OpenIdConnect</code></td></tr><tr><td>Default User Group</td><td>Choose which <strong>Umbraco User Group</strong> the user should be assigned to if nothing else is defined.<br>Custom User Group added to the backoffice will also be available.</td><td>Default Options:<br><code>Administrators</code><br><code>Writers</code><br><code>Editors</code><br><code>Translators</code><br><code>Sensitive Data</code></td></tr><tr><td>Enforce User Group on login</td><td>A checkbox to choose whether each login will re-evaluate the users role or if it should happen only on the first login.</td><td>N/A</td></tr><tr><td>User Group Mappings</td><td>Use this field to map roles within the login provider with Umbraco User Groups.<br><br><em>Example: A user with the "Content Editor" role in the login provider, will be added to the Writer User Group in Umbraco.</em></td><td><code>Login Provider Role</code> = <code>Umbraco User Group</code><br><br>Entra ID: <code>Object ID of User Group</code> = <code>Umbraco User Group</code></td></tr><tr><td>No User Group Found Behaviour</td><td>This decides what happens if the mapping for the users User Group hasn't been defined. The options are to select the Default User Group or to disallow the user access to the backoffice.</td><td>Options: <code>UseDefaultUserGroup</code>, <code>Unauthorized</code></td></tr><tr><td>User Group Claim Name</td><td>Your provider may assign users to specific roles (For example: Admin, Editor, Viewer).<br><br>The <strong>User Group Claim Name</strong> is the field in the authentication token (claim) that identifies these roles. The system reads this claim to determine a user’s permissions.<br><br>Example: If your provider sends roles in a claim named <code>user_roles</code>, you would set the <strong>User Group Claim Name</strong> to <code>user_roles</code> so the system can properly recognize user permissions.</td><td>Entra ID: <code>email (ID)</code>, <code>groups</code></td></tr><tr><td>Metadata Address</td><td>If you need a special metadata address for your External Login Provider, you can set it here. By default, the system will resolve the metadata address from the Authority Url, which is why this property is optional.</td><td>A common scenario for using a special metadata address is when working with Entra ID and configuring claims mapping. In this case, you must set the metadata address to the following:<code>https://login.microsoftonline.com/{tenant}/v2.0/.well-known/openid-configuration?appid={client-id}</code></td></tr></tbody></table>
+<table><thead><tr><th width="227">Field</th><th>Description</th><th>Formatting</th></tr></thead><tbody><tr><td>Alias</td><td>A unique alias for the provider.</td><td><p>Use only lower-case.</p><p>Spaces are not allowed.</p></td></tr><tr><td>Client Id</td><td>A unique Client ID generated in the external login provider.</td><td>Entra ID: Guid<br>Auth0: Random characters<br>Google: <code>{randomchars}.apps.googleusercontent.com</code></td></tr><tr><td>Client Secret</td><td>A secret that is generated in the External Login Provider and is associated with the Client Id.</td><td></td></tr><tr><td>Authority</td><td>The URL for the External Login Provider. This can be found in the External Login Provider.</td><td>Entra ID: <code>https://login.microsoftonline.com/&#x3C;Directory (tenant)></code><br>Auth0: <code>https://{accountId}.uk.auth0.com</code><br>Google: <code>https://accounts.google.com</code></td></tr><tr><td>Scopes</td><td>These are OpenID-Connect scopes. These are the minimum requirement and will allow the app to authenticate and get the users profile data, email and name.</td><td>Default values: <code>openid</code>, <code>profile</code> and <code>email</code>.</td></tr><tr><td>Auth Type</td><td>Currently only OpenIDConnect is available.</td><td>Default: <code>OpenIdConnect</code></td></tr><tr><td>Default User Group</td><td>Choose which <strong>Umbraco User Group</strong> the user should be assigned to if nothing else is defined.<br>Custom User Group added to the backoffice will also be available.</td><td>Default Options:<br><code>Administrators</code><br><code>Writers</code><br><code>Editors</code><br><code>Translators</code><br><code>Sensitive Data</code></td></tr><tr><td>Enforce User Group on login</td><td>A checkbox to choose whether each login will re-evaluate the users role or if it should happen only on the first login.</td><td>N/A</td></tr><tr><td>User Group Mappings</td><td>Use this field to map roles within the login provider with Umbraco User Groups.<br><br><em>Example: A user with the "Content Editor" role in the login provider, will be added to the Writer User Group in Umbraco.</em></td><td><code>Login Provider Role</code> = <code>Umbraco User Group</code><br><br>Entra ID: <code>Object ID of User Group</code> = <code>Umbraco User Group</code></td></tr><tr><td>No User Group Found Behaviour</td><td>This decides what happens if the mapping for the users User Group hasn't been defined. The options are to select the Default User Group or to disallow the user access to the backoffice.</td><td>Options: <code>UseDefaultUserGroup</code>, <code>Unauthorized</code></td></tr>
+
+<tr><td>User Group Claim Name</td>
+
+<td>Your provider may assign users to specific roles (For example: Admin, Editor, Viewer).<br><br>The <strong>User Group Claim Name</strong> is the field in the authentication token (claim) that identifies these roles. The system reads this claim to determine a user’s permissions.<br><br>Example: If your provider sends roles in a claim named <code>user_roles</code>, you would set the <strong>User Group Claim Name</strong> to <code>user_roles</code> so the system can properly recognize user permissions.<br><br><br><strong>NOTE:</strong> If you leave this field blank we will automatically use <code>http://schemas.microsoft.com/ws/2008/06/identity/claims/role</code> as default claim name.</td>
+
+<td>Entra ID: <code>email (ID)</code>, <code>groups</code></td></tr>
+
+<tr><td>Metadata Address</td><td>If you need a special metadata address for your External Login Provider, you can set it here. By default, the system will resolve the metadata address from the Authority Url, which is why this property is optional.</td><td>A common scenario for using a special metadata address is when working with Entra ID and configuring claims mapping. In this case, you must set the metadata address to the following:<code>https://login.microsoftonline.com/{tenant}/v2.0/.well-known/openid-configuration?appid={client-id}</code></td></tr></tbody></table>
 
 ### Handling invites when using an External Login Provider
 

From 3f3ecd60282198e09b13e82b61cfabb11bf3092b Mon Sep 17 00:00:00 2001
From: Jesper Madsen <jesper.a.madsen@gmail.com>
Date: Fri, 24 Oct 2025 10:42:09 +0200
Subject: [PATCH 2/7] 57030 tone

---
 .../project-features/external-login-providers.md                | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/umbraco-cloud/begin-your-cloud-journey/project-features/external-login-providers.md b/umbraco-cloud/begin-your-cloud-journey/project-features/external-login-providers.md
index 88c3072ebf8..c1e5199699d 100644
--- a/umbraco-cloud/begin-your-cloud-journey/project-features/external-login-providers.md
+++ b/umbraco-cloud/begin-your-cloud-journey/project-features/external-login-providers.md
@@ -181,7 +181,7 @@ Learn about what type of data and information you need for each field in the con
 
 <tr><td>User Group Claim Name</td>
 
-<td>Your provider may assign users to specific roles (For example: Admin, Editor, Viewer).<br><br>The <strong>User Group Claim Name</strong> is the field in the authentication token (claim) that identifies these roles. The system reads this claim to determine a user’s permissions.<br><br>Example: If your provider sends roles in a claim named <code>user_roles</code>, you would set the <strong>User Group Claim Name</strong> to <code>user_roles</code> so the system can properly recognize user permissions.<br><br><br><strong>NOTE:</strong> If you leave this field blank we will automatically use <code>http://schemas.microsoft.com/ws/2008/06/identity/claims/role</code> as default claim name.</td>
+<td>Your provider may assign users to specific roles (For example: Admin, Editor, Viewer).<br><br>The <strong>User Group Claim Name</strong> is the field in the authentication token (claim) that identifies these roles. The system reads this claim to determine a user’s permissions.<br><br>Example: If your provider sends roles in a claim named <code>user_roles</code>, you would set the <strong>User Group Claim Name</strong> to <code>user_roles</code> so the system can properly recognize user permissions.<br><br><strong>NOTE:</strong> If field is left blank the system will default to use <code>http://schemas.microsoft.com/ws/2008/06/identity/claims/role</code> as claim name.</td>
 
 <td>Entra ID: <code>email (ID)</code>, <code>groups</code></td></tr>
 

From 8d7575800fbd6a29bb6c4a5defa62949541218f1 Mon Sep 17 00:00:00 2001
From: Jesper Madsen <jesper.a.madsen@gmail.com>
Date: Fri, 24 Oct 2025 10:44:45 +0200
Subject: [PATCH 3/7] 57030 Org ELP also defaults on this field

---
 .../organizations/organization-login-providers.md               | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/umbraco-cloud/begin-your-cloud-journey/the-cloud-portal/organizations/organization-login-providers.md b/umbraco-cloud/begin-your-cloud-journey/the-cloud-portal/organizations/organization-login-providers.md
index 63cc6b3965c..33b6cc74343 100644
--- a/umbraco-cloud/begin-your-cloud-journey/the-cloud-portal/organizations/organization-login-providers.md
+++ b/umbraco-cloud/begin-your-cloud-journey/the-cloud-portal/organizations/organization-login-providers.md
@@ -214,6 +214,8 @@ The **User Mapping Claim Name** is the field in the authentication token (claim)
 
 For example, if the roles claim is called `user_roles` in your provider, you set the **User Mapping Claim Name** to `user_roles`.
 
+<strong>NOTE:</strong> If field is left blank the system will default to use <code>http://schemas.microsoft.com/ws/2008/06/identity/claims/role</code> as claim name.
+
 ## Signing in using the Login Provider
 
 When trying to access Umbraco Cloud Portal through `s1.umbraco.io`, you are greeted by an Umbraco ID sign-in screen. 

From a93079de075afa0d52fa41d2172c8be07e5bc224 Mon Sep 17 00:00:00 2001
From: Esha Noronha <82437098+eshanrnh@users.noreply.github.com>
Date: Fri, 31 Oct 2025 10:12:01 +0100
Subject: [PATCH 4/7] Update
 umbraco-cloud/begin-your-cloud-journey/project-features/external-login-providers.md

---
 .../project-features/external-login-providers.md                | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/umbraco-cloud/begin-your-cloud-journey/project-features/external-login-providers.md b/umbraco-cloud/begin-your-cloud-journey/project-features/external-login-providers.md
index c1e5199699d..2bd86eb3991 100644
--- a/umbraco-cloud/begin-your-cloud-journey/project-features/external-login-providers.md
+++ b/umbraco-cloud/begin-your-cloud-journey/project-features/external-login-providers.md
@@ -177,7 +177,7 @@ The **alias** must be unique across different login providers in the same enviro
 
 Learn about what type of data and information you need for each field in the configuration form.
 
-<table><thead><tr><th width="227">Field</th><th>Description</th><th>Formatting</th></tr></thead><tbody><tr><td>Alias</td><td>A unique alias for the provider.</td><td><p>Use only lower-case.</p><p>Spaces are not allowed.</p></td></tr><tr><td>Client Id</td><td>A unique Client ID generated in the external login provider.</td><td>Entra ID: Guid<br>Auth0: Random characters<br>Google: <code>{randomchars}.apps.googleusercontent.com</code></td></tr><tr><td>Client Secret</td><td>A secret that is generated in the External Login Provider and is associated with the Client Id.</td><td></td></tr><tr><td>Authority</td><td>The URL for the External Login Provider. This can be found in the External Login Provider.</td><td>Entra ID: <code>https://login.microsoftonline.com/&#x3C;Directory (tenant)></code><br>Auth0: <code>https://{accountId}.uk.auth0.com</code><br>Google: <code>https://accounts.google.com</code></td></tr><tr><td>Scopes</td><td>These are OpenID-Connect scopes. These are the minimum requirement and will allow the app to authenticate and get the users profile data, email and name.</td><td>Default values: <code>openid</code>, <code>profile</code> and <code>email</code>.</td></tr><tr><td>Auth Type</td><td>Currently only OpenIDConnect is available.</td><td>Default: <code>OpenIdConnect</code></td></tr><tr><td>Default User Group</td><td>Choose which <strong>Umbraco User Group</strong> the user should be assigned to if nothing else is defined.<br>Custom User Group added to the backoffice will also be available.</td><td>Default Options:<br><code>Administrators</code><br><code>Writers</code><br><code>Editors</code><br><code>Translators</code><br><code>Sensitive Data</code></td></tr><tr><td>Enforce User Group on login</td><td>A checkbox to choose whether each login will re-evaluate the users role or if it should happen only on the first login.</td><td>N/A</td></tr><tr><td>User Group Mappings</td><td>Use this field to map roles within the login provider with Umbraco User Groups.<br><br><em>Example: A user with the "Content Editor" role in the login provider, will be added to the Writer User Group in Umbraco.</em></td><td><code>Login Provider Role</code> = <code>Umbraco User Group</code><br><br>Entra ID: <code>Object ID of User Group</code> = <code>Umbraco User Group</code></td></tr><tr><td>No User Group Found Behaviour</td><td>This decides what happens if the mapping for the users User Group hasn't been defined. The options are to select the Default User Group or to disallow the user access to the backoffice.</td><td>Options: <code>UseDefaultUserGroup</code>, <code>Unauthorized</code></td></tr>
+<table><thead><tr><th width="227">Field</th><th>Description</th><th>Formatting</th></tr></thead><tbody><tr><td>Alias</td><td>A unique alias for the provider.</td><td><p>Use only lowercase.</p><p>Spaces are not allowed.</p></td></tr><tr><td>Client ID</td><td>A unique Client ID generated in the external login provider.</td><td>Entra ID: Guid<br>Auth0: Random characters<br>Google: <code>{randomchars}.apps.googleusercontent.com</code></td></tr><tr><td>Client Secret</td><td>A secret that is generated in the External Login Provider and is associated with the Client ID. </td><td></td></tr><tr><td>Authority</td><td>The URL for the External Login Provider. This can be found in the External Login Provider.</td><td>Entra ID: <code>https://login.microsoftonline.com/&#x3C;Directory (tenant)></code><br>Auth0: <code>https://{accountId}.uk.auth0.com</code><br>Google: <code>https://accounts.google.com</code></td></tr><tr><td>Scopes</td><td>These are OpenID Connect scopes. These are the minimum requirements and will allow the app to authenticate and get the user's profile data, email, and name.</td><td>Default values: <code>openid</code>, <code>profile</code>, and <code>email</code>.</td></tr><tr><td>Auth Type</td><td>Currently only OpenIDConnect is available.</td><td>Default: <code>OpenIdConnect</code></td></tr><tr><td>Default User Group</td><td>Choose which <strong>Umbraco User Group</strong> the user should be assigned to if nothing else is defined.<br>A custom User Group added to the backoffice will also be available.</td><td>Default Options:<br><code>Administrators</code><br><code>Writers</code><br><code>Editors</code><br><code>Translators</code><br><code>Sensitive Data</code></td></tr><tr><td>Enforce User Group on login</td><td>A checkbox to choose whether each login will re-evaluate the user's role or if it should happen only on the first login.</td><td>N/A</td></tr><tr><td>User Group Mappings</td><td>Use this field to map roles within the login provider with Umbraco User Groups.<br><br><em>Example: A user with the "Content Editor" role in the login provider will be added to the Writer User Group in Umbraco.</em></td><td><code>Login Provider Role</code> = <code>Umbraco User Group</code><br><br>Entra ID: <code>Object ID of User Group</code> = <code>Umbraco User Group</code></td></tr><tr><td>No User Group Found Behaviour</td><td>This defines what happens if the mapping for the user’s User Group hasn’t been defined. The options are to select the Default User Group or to disallow the user access to the backoffice.</td><td>Options: <code>UseDefaultUserGroup</code>, <code>Unauthorized</code></td></tr>
 
 <tr><td>User Group Claim Name</td>
 

From 6c64cc451ec64e5dcba65e572f1a002b9bec6aa9 Mon Sep 17 00:00:00 2001
From: Esha Noronha <82437098+eshanrnh@users.noreply.github.com>
Date: Fri, 31 Oct 2025 10:12:13 +0100
Subject: [PATCH 5/7] Update
 umbraco-cloud/begin-your-cloud-journey/project-features/external-login-providers.md

---
 .../project-features/external-login-providers.md                | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/umbraco-cloud/begin-your-cloud-journey/project-features/external-login-providers.md b/umbraco-cloud/begin-your-cloud-journey/project-features/external-login-providers.md
index 2bd86eb3991..f7877b770b7 100644
--- a/umbraco-cloud/begin-your-cloud-journey/project-features/external-login-providers.md
+++ b/umbraco-cloud/begin-your-cloud-journey/project-features/external-login-providers.md
@@ -181,7 +181,7 @@ Learn about what type of data and information you need for each field in the con
 
 <tr><td>User Group Claim Name</td>
 
-<td>Your provider may assign users to specific roles (For example: Admin, Editor, Viewer).<br><br>The <strong>User Group Claim Name</strong> is the field in the authentication token (claim) that identifies these roles. The system reads this claim to determine a user’s permissions.<br><br>Example: If your provider sends roles in a claim named <code>user_roles</code>, you would set the <strong>User Group Claim Name</strong> to <code>user_roles</code> so the system can properly recognize user permissions.<br><br><strong>NOTE:</strong> If field is left blank the system will default to use <code>http://schemas.microsoft.com/ws/2008/06/identity/claims/role</code> as claim name.</td>
+<td>Your provider may assign users to specific roles (For example: Admin, Editor, Viewer).<br><br>The <strong>User Group Claim Name</strong> is the field in the authentication token (claim) that identifies these roles. The system reads this claim to determine a user’s permissions.<br><br>Example: If your provider sends roles in a claim named <code>user_roles</code>, you would set the <strong>User Group Claim Name</strong> to <code>user_roles</code> so the system can properly recognize user permissions.<br><br><strong>NOTE:</strong> If the field is left blank, the system will default to use <code>http://schemas.microsoft.com/ws/2008/06/identity/claims/role</code> as the claim name.</td>
 
 <td>Entra ID: <code>email (ID)</code>, <code>groups</code></td></tr>
 

From 4b67eaa3c5d9ca02dd16b6a6f565f46f6d10bdba Mon Sep 17 00:00:00 2001
From: Esha Noronha <82437098+eshanrnh@users.noreply.github.com>
Date: Fri, 31 Oct 2025 10:12:22 +0100
Subject: [PATCH 6/7] Update
 umbraco-cloud/begin-your-cloud-journey/project-features/external-login-providers.md

---
 .../project-features/external-login-providers.md                | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/umbraco-cloud/begin-your-cloud-journey/project-features/external-login-providers.md b/umbraco-cloud/begin-your-cloud-journey/project-features/external-login-providers.md
index f7877b770b7..cc15eacbd1d 100644
--- a/umbraco-cloud/begin-your-cloud-journey/project-features/external-login-providers.md
+++ b/umbraco-cloud/begin-your-cloud-journey/project-features/external-login-providers.md
@@ -185,7 +185,7 @@ Learn about what type of data and information you need for each field in the con
 
 <td>Entra ID: <code>email (ID)</code>, <code>groups</code></td></tr>
 
-<tr><td>Metadata Address</td><td>If you need a special metadata address for your External Login Provider, you can set it here. By default, the system will resolve the metadata address from the Authority Url, which is why this property is optional.</td><td>A common scenario for using a special metadata address is when working with Entra ID and configuring claims mapping. In this case, you must set the metadata address to the following:<code>https://login.microsoftonline.com/{tenant}/v2.0/.well-known/openid-configuration?appid={client-id}</code></td></tr></tbody></table>
+<tr><td>Metadata Address</td><td>If you need a special metadata address for your External Login Provider, you can set it here. By default, the system will resolve the metadata address from the Authority URL, which is why this property is optional.</td><td>A common scenario for using a special metadata address is when working with Entra ID and configuring claims mapping. In this case, you must set the metadata address to the following:<code>https://login.microsoftonline.com/{tenant}/v2.0/.well-known/openid-configuration?appid={client-id}</code>.</td></tr></tbody></table>
 
 ### Handling invites when using an External Login Provider
 

From a25605641ab39566403f3daaa7d8cabc07a55b50 Mon Sep 17 00:00:00 2001
From: Esha Noronha <82437098+eshanrnh@users.noreply.github.com>
Date: Fri, 31 Oct 2025 10:12:30 +0100
Subject: [PATCH 7/7] Update
 umbraco-cloud/begin-your-cloud-journey/the-cloud-portal/organizations/organization-login-providers.md

---
 .../organizations/organization-login-providers.md             | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/umbraco-cloud/begin-your-cloud-journey/the-cloud-portal/organizations/organization-login-providers.md b/umbraco-cloud/begin-your-cloud-journey/the-cloud-portal/organizations/organization-login-providers.md
index 33b6cc74343..c3a48d63511 100644
--- a/umbraco-cloud/begin-your-cloud-journey/the-cloud-portal/organizations/organization-login-providers.md
+++ b/umbraco-cloud/begin-your-cloud-journey/the-cloud-portal/organizations/organization-login-providers.md
@@ -214,7 +214,9 @@ The **User Mapping Claim Name** is the field in the authentication token (claim)
 
 For example, if the roles claim is called `user_roles` in your provider, you set the **User Mapping Claim Name** to `user_roles`.
 
-<strong>NOTE:</strong> If field is left blank the system will default to use <code>http://schemas.microsoft.com/ws/2008/06/identity/claims/role</code> as claim name.
+{% hint style="info" %}
+If the field is left blank, the system will default to use <code>http://schemas.microsoft.com/ws/2008/06/identity/claims/role</code> as the claim name.
+{% endhint %}
 
 ## Signing in using the Login Provider
 

Field	Description	Formatting
Alias	A unique alias for the provider.	Use only lower-case. Spaces are not allowed.
Client Id	A unique Client ID generated in the external login provider.	Entra ID: Guid Auth0: Random characters Google: `{randomchars}.apps.googleusercontent.com`
Client Secret	A secret that is generated in the External Login Provider and is associated with the Client Id.
Authority	The URL for the External Login Provider. This can be found in the External Login Provider.	Entra ID: `https://login.microsoftonline.com/<Directory (tenant)>` Auth0: `https://{accountId}.uk.auth0.com` Google: `https://accounts.google.com`
Scopes	These are OpenID-Connect scopes. These are the minimum requirement and will allow the app to authenticate and get the users profile data, email and name.	Default values: `openid`, `profile` and `email`.
Auth Type	Currently only OpenIDConnect is available.	Default: `OpenIdConnect`
Default User Group	Choose which Umbraco User Group the user should be assigned to if nothing else is defined. Custom User Group added to the backoffice will also be available.	Default Options: `Administrators` `Writers` `Editors` `Translators` `Sensitive Data`
Enforce User Group on login	A checkbox to choose whether each login will re-evaluate the users role or if it should happen only on the first login.	N/A
User Group Mappings	Use this field to map roles within the login provider with Umbraco User Groups. Example: A user with the "Content Editor" role in the login provider, will be added to the Writer User Group in Umbraco.	`Login Provider Role` = `Umbraco User Group` Entra ID: `Object ID of User Group` = `Umbraco User Group`
No User Group Found Behaviour	This decides what happens if the mapping for the users User Group hasn't been defined. The options are to select the Default User Group or to disallow the user access to the backoffice.	Options: `UseDefaultUserGroup`, `Unauthorized`
User Group Claim Name	Your provider may assign users to specific roles (For example: Admin, Editor, Viewer). The User Group Claim Name is the field in the authentication token (claim) that identifies these roles. The system reads this claim to determine a user’s permissions. Example: If your provider sends roles in a claim named `user_roles`, you would set the User Group Claim Name to `user_roles` so the system can properly recognize user permissions.	Entra ID: `email (ID)`, `groups`
Metadata Address	If you need a special metadata address for your External Login Provider, you can set it here. By default, the system will resolve the metadata address from the Authority Url, which is why this property is optional.	A common scenario for using a special metadata address is when working with Entra ID and configuring claims mapping. In this case, you must set the metadata address to the following:`https://login.microsoftonline.com/{tenant}/v2.0/.well-known/openid-configuration?appid={client-id}`
Field	Description	Formatting
Alias	A unique alias for the provider.	Use only lowercase. Spaces are not allowed.
Client ID	A unique Client ID generated in the external login provider.	Entra ID: Guid Auth0: Random characters Google: `{randomchars}.apps.googleusercontent.com`
Client Secret	A secret that is generated in the External Login Provider and is associated with the Client ID.
Authority	The URL for the External Login Provider. This can be found in the External Login Provider.	Entra ID: `https://login.microsoftonline.com/<Directory (tenant)>` Auth0: `https://{accountId}.uk.auth0.com` Google: `https://accounts.google.com`
Scopes	These are OpenID Connect scopes. These are the minimum requirements and will allow the app to authenticate and get the user's profile data, email, and name.	Default values: `openid`, `profile`, and `email`.
Auth Type	Currently only OpenIDConnect is available.	Default: `OpenIdConnect`
Default User Group	Choose which Umbraco User Group the user should be assigned to if nothing else is defined. A custom User Group added to the backoffice will also be available.	Default Options: `Administrators` `Writers` `Editors` `Translators` `Sensitive Data`
Enforce User Group on login	A checkbox to choose whether each login will re-evaluate the user's role or if it should happen only on the first login.	N/A
User Group Mappings	Use this field to map roles within the login provider with Umbraco User Groups. Example: A user with the "Content Editor" role in the login provider will be added to the Writer User Group in Umbraco.	`Login Provider Role` = `Umbraco User Group` Entra ID: `Object ID of User Group` = `Umbraco User Group`
No User Group Found Behaviour	This defines what happens if the mapping for the user’s User Group hasn’t been defined. The options are to select the Default User Group or to disallow the user access to the backoffice.	Options: `UseDefaultUserGroup`, `Unauthorized`
User Group Claim Name
User Group Claim Name	Your provider may assign users to specific roles (For example: Admin, Editor, Viewer). The User Group Claim Name is the field in the authentication token (claim) that identifies these roles. The system reads this claim to determine a user’s permissions. Example: If your provider sends roles in a claim named `user_roles`, you would set the User Group Claim Name to `user_roles` so the system can properly recognize user permissions. NOTE: If field is left blank the system will default to use `http://schemas.microsoft.com/ws/2008/06/identity/claims/role` as claim name.	Your provider may assign users to specific roles (For example: Admin, Editor, Viewer). The User Group Claim Name is the field in the authentication token (claim) that identifies these roles. The system reads this claim to determine a user’s permissions. Example: If your provider sends roles in a claim named `user_roles`, you would set the User Group Claim Name to `user_roles` so the system can properly recognize user permissions. NOTE: If the field is left blank, the system will default to use `http://schemas.microsoft.com/ws/2008/06/identity/claims/role` as the claim name.	Entra ID: `email (ID)`, `groups`
Entra ID: `email (ID)`, `groups`
Metadata Address	If you need a special metadata address for your External Login Provider, you can set it here. By default, the system will resolve the metadata address from the Authority Url, which is why this property is optional.	A common scenario for using a special metadata address is when working with Entra ID and configuring claims mapping. In this case, you must set the metadata address to the following:`https://login.microsoftonline.com/{tenant}/v2.0/.well-known/openid-configuration?appid={client-id}`