Microsoft Azure AD

Microsoft Azure AD

Microsoft Azure AD (now Microsoft Entra ID) is a cloud identity and access management service for single sign-on and user authentication on websites. Scripts load the Microsoft Authentication Library to handle OAuth flows, display login prompts, and manage access tokens. Stores authentication cookies and session tokens to maintain user login state across visits.

Microsoft
Part of Microsoft
Back to Vendor Library

Overview

Microsoft Azure AD (now rebranded as Microsoft Entra ID) is a cloud-based identity and access management service that provides single sign-on (SSO), multi-factor authentication, and directory services for web applications. When detected on websites, Azure AD handles user authentication flows — allowing visitors to sign in with their organizational Microsoft accounts or personal Microsoft accounts. It is the identity backbone for Microsoft 365 applications and is widely adopted by enterprise web applications for workforce and customer-facing (B2C) authentication.

What This Script Does

Azure AD authentication integrates through the Microsoft Authentication Library (MSAL) and OAuth 2.0/OpenID Connect protocol flows.

  • Scripts loaded: The Microsoft Authentication Library (msal-browser.js from alcdn.msauth.net or bundled into the application) handles token acquisition, refresh, and session management. The login flow redirects to login.microsoftonline.com for credential entry.
  • Authentication flow: Users click a sign-in button, triggering either a redirect to login.microsoftonline.com or a popup window. After entering credentials and completing any multi-factor authentication, Azure AD returns an ID token and access token to the application.
  • Cookies set:
    • Session cookies on login.microsoftonline.com for maintaining the authentication state during the sign-in flow
    • ESTSAUTH, ESTSAUTHPERSISTENT — Microsoft authentication cookies that maintain SSO state across Microsoft services, enabling seamless sign-in without re-entering credentials
    • buid, fpc — Azure AD cookies for browser and device identification during the login flow
    • First-party session cookies set by the application to maintain the authenticated state after login
  • Token storage: MSAL stores access tokens and refresh tokens in the browser's sessionStorage or localStorage (configurable) to maintain the session and silently refresh tokens without user interaction.
  • No tracking: Azure AD authentication scripts do not track browsing behavior or set advertising cookies. All data processing is related to identity verification and session management.

Consent & Compliance

Microsoft Azure AD falls under the essential consent category.

Under GDPR and ePrivacy, authentication cookies and token storage are strictly necessary for providing the sign-in service explicitly requested by the user. The ePrivacy Directive exempts cookies that are essential for a service the user has asked for. GDPR legal basis is Article 6(1)(b) — processing necessary for the performance of a contract (user account access). The ESTSAUTH cookies on login.microsoftonline.com maintain SSO state and are integral to the authentication flow.

Under CCPA/CPRA, identity data processed during authentication (email, name, directory attributes) is collected to provide the requested sign-in service. This does not constitute a "sale" or "sharing" of personal information for advertising purposes.

Microsoft Entra ID offers data residency options for EU tenants and operates under Microsoft's data processing addendum.

Should You Block This Without Consent?

No. Azure AD is an authentication service that users explicitly invoke to sign into the website. Blocking it would prevent users from logging in and accessing their accounts. All cookies set are directly related to the authentication flow and session management, qualifying as strictly necessary under all major privacy frameworks.

Visit website

Consent Categories

Essential

Also Known As

Microsoft Entra IDAzure Active DirectoryMicrosoft SSOMSALMicrosoft authenticationAzure AD B2C

Industries

Computers Electronics and TechnologyProgramming and Developer Software

Tracked Domains (2)

microsoftonline.comEssential
login.microsoftonline.comEssential

Frequently Asked Questions

Does Microsoft Azure AD require cookie consent?

No. Azure AD, now Microsoft Entra ID, is an authentication service users explicitly invoke. Its cookies — ESTSAUTH, ESTSAUTHPERSISTENT, and session tokens — are strictly necessary for the login service. GDPR Article 6(1)(b) covers this under contract performance; ePrivacy's strictly necessary exemption applies.

What cookies does Microsoft Azure AD set?

ESTSAUTH and ESTSAUTHPERSISTENT on login.microsoftonline.com maintain SSO state across Microsoft services. The buid and fpc cookies support browser identification during login. MSAL stores access and refresh tokens in sessionStorage or localStorage. Scripts load from alcdn.msauth.net; login redirects go to login.microsoftonline.com.

How does ConsentStack treat Microsoft Azure AD?

ConsentStack classifies Azure AD as essential. Because all authentication cookies are strictly necessary for the user-requested sign-in service, ConsentStack does not apply consent gating. The MSAL library and login flows operate without restriction across all consent states, ensuring authenticated access remains uninterrupted.

Other Microsoft Products

Bing Ads
Bing Ads
Microsoft Advertising (Bing Ads) is the advertising platform for search campaigns on Bing, Yahoo, and partner networks. The Universal Event Tracking (UET) tag fires on advertiser sites to record conversions and build remarketing audiences. Data flows into the Microsoft Advertising dashboard for campaign reporting and bid optimization.
Microsoft Advertising UET Tag
Microsoft Advertising UET Tag
Microsoft Advertising UET Tag is the Universal Event Tracking pixel for Microsoft's ad platform, formerly Bing Ads. The JavaScript tag fires on advertiser websites to track page views, conversions, and custom events for campaign optimization. Sets cookies to identify visitors across sessions and attribute conversions to Microsoft Search and Audience Network ad clicks.
Bing Webmaster Tools
Bing Webmaster Tools
Sets a meta tag or BingSiteAuth.xml file to confirm site ownership with Microsoft Bing. The verification asset collects no personal data; Bing then provides search performance, crawl error, and keyword analytics accessible only through authenticated Webmaster Tools dashboard sessions.
LinkedIn
LinkedIn
LinkedIn Insight Tag is a conversion tracking and audience analytics tool for LinkedIn advertising. Scripts set a first-party cookie and send page view and conversion events to LinkedIn's servers. Data supports campaign attribution, demographic reporting on site visitors, and LinkedIn retargeting audience creation.
Microsoft Dynamics 365
Microsoft Dynamics 365
Microsoft Dynamics 365 is a suite of CRM and ERP applications that integrates with websites through tracking scripts and embedded forms. Web tracking code captures visitor behavior, page views, and form submissions to build customer profiles and score leads. Sets cookies to identify returning visitors and attribute marketing touchpoints across sessions.
Microsoft Teams
Microsoft Teams
Microsoft Teams is a workplace communication and collaboration platform that can be embedded on websites for chat, meetings, and document sharing. Embedded widgets load from Microsoft's servers to enable real-time messaging, video calls, and file collaboration. Sets authentication and session cookies to verify participant identity and maintain connection state.
Power BI
Power BI
Power BI is Microsoft's business intelligence and data visualization platform. Its embedded scripts render interactive dashboards and reports within web pages, loading data visualizations through iframes or JavaScript APIs. Embedded reports may set authentication cookies and make requests to Microsoft's cloud services.
Xandr
Xandr
Xandr scripts serve programmatic display and video ads by placing cookies, collecting audience data, and participating in real-time bidding auctions. Scripts match visitors against audience segments and transmit behavioral data to Microsoft's advertising marketplace for targeting and measurement.

Related Vendors

Firebase
Firebase
Firebase is Google's mobile and web application development platform offering authentication, real-time database, cloud functions, and analytics. Web SDK scripts initialize Firebase services and may track app events via Firebase Analytics, which is powered by Google Analytics 4. Widely used in single-page apps and PWAs for backend infrastructure and usage tracking.
Google Fonts
Google Fonts
Google Fonts is a free font hosting service that serves hundreds of typeface families via a global CDN. Stylesheets and font files load from fonts.googleapis.com and fonts.gstatic.com to deliver web fonts to visitors. No advertising or tracking functionality is included.
Google
Google
Google is the dominant provider of web analytics, advertising, and infrastructure tools. Scripts like Google Analytics, Tag Manager, Ads, and reCAPTCHA collect behavioral data, manage tag firing, serve targeted ads, and detect bots. Sets persistent cookies to track users and correlate activity across sites.
Google Tag Manager
Google Tag Manager
Google Tag Manager is a tag management system that lets marketers deploy and update analytics and marketing scripts without code changes. The GTM container script loads synchronously in the page head and injects configured tags, triggers, and variables on behalf of other vendors. No data collection of its own — acts as a loader for other scripts.
reCAPTCHA
reCAPTCHA
Google reCAPTCHA is a bot detection and spam prevention service protecting web forms, login pages, and checkout flows. Scripts analyze user behavior, mouse movements, and browser fingerprints to distinguish humans from bots. The invisible reCAPTCHA v3 scores interactions without requiring user challenges.
Sign in with Google
Sign in with Google
Sign in with Google is an OAuth-based authentication service that enables users to log into websites using their Google account credentials. Scripts load the Google Identity Services library, display sign-in buttons, and handle token exchange for secure authentication. Stores session tokens and authentication cookies to maintain login state across page visits.

Manage consent for Microsoft Azure AD

ConsentStack automatically detects and manages Microsoft Azure AD trackers so your site stays compliant with global privacy regulations.

Get started free