Using MS AD for auth when outline is not publicly accessable

[turbo2ltr]

The intended setup is to have outline hosted on our intranet and not accessible from the outside. If I use Microsoft for authentication, is having the outline install not publicly accessible going to cause an issue?

The two issues I could see is

1. MS won't accept a callback that is not HTTPS. So the outline server would need an SSL cert.
2. If it needs a publicly verifiably cert and not a self signed (as that opens up a whole other can of worms) , then the local server needs to have a FQDN, pointing to a private IP.

I could probably get those done (maybe...I'm not the IT dept). The one question I have is does MS ever talk to outline directly? I don't think so, but I can't find a clear answer. It think all the talking is done from the perspective of the client so in theory, the callback could be a domain that is not publicly accessible but one that would resolve for an internal user, allowing the user to go to the local site, be redirected to microsoft for auth, and then redirected back to the local site, without the browser complaining about self signed certs.
Does that sound correct?

[tommoor]

The one question I have is does MS ever talk to outline directly?

No, but the Outline server does make requests to the Azure API's so would need to be able to access that direction (usually not an issue). On an internal intranet I think generally using self-hosted OIDC or SAML is a more typical option, but still it should work!

[turbo2ltr]

I defaulted to MS because our email and whatnot is managed through them. And for some reason I have permissions to create apps in the portal so I didn't have to talk to IT to get a client ID.

Thank you!