diff --git a/apps/backend/package.json b/apps/backend/package.json
index f25be815f..591816552 100644
--- a/apps/backend/package.json
+++ b/apps/backend/package.json
@@ -62,7 +62,7 @@
     "next": "15.0.3",
     "nodemailer": "^6.9.10",
     "oidc-provider": "^8.5.1",
-    "openid-client": "^5.6.4",
+    "openid-client": "5.6.4",
     "oslo": "^1.2.1",
     "posthog-node": "^4.1.0",
     "react": "^19.0.0",
diff --git a/apps/backend/src/oauth/providers/microsoft.tsx b/apps/backend/src/oauth/providers/microsoft.tsx
index cba881473..665bca727 100644
--- a/apps/backend/src/oauth/providers/microsoft.tsx
+++ b/apps/backend/src/oauth/providers/microsoft.tsx
@@ -14,12 +14,17 @@ export class MicrosoftProvider extends OAuthBaseProvider {
     clientSecret: string,
     microsoftTenantId?: string,
   }) {
+    const tenantId = encodeURIComponent(options.microsoftTenantId || "consumers");
     return new MicrosoftProvider(...await OAuthBaseProvider.createConstructorArgs({
-      issuer: `https://login.microsoftonline.com${"/" + options.microsoftTenantId || ""}`,
-      authorizationEndpoint: `https://login.microsoftonline.com/${options.microsoftTenantId || 'consumers'}/oauth2/v2.0/authorize`,
-      tokenEndpoint: `https://login.microsoftonline.com/${options.microsoftTenantId || 'consumers'}/oauth2/v2.0/token`,
+      // Note that it is intentional to have tenantid instead of tenantId, also intentional to not be a template literal. This will be replaced by the openid-client library.
+      // The library only supports azure tenancy with the discovery endpoint but not the manual setup, so we patch it to enable the tenantid replacement.
+      issuer: "https://login.microsoftonline.com/{tenantid}/v2.0",
+      authorizationEndpoint: `https://login.microsoftonline.com/${tenantId}/oauth2/v2.0/authorize`,
+      tokenEndpoint: `https://login.microsoftonline.com/${tenantId}/oauth2/v2.0/token`,
       redirectUri: getEnvVariable("NEXT_PUBLIC_STACK_API_URL") + "/api/v1/auth/oauth/callback/microsoft",
-      baseScope: "User.Read",
+      baseScope: "User.Read openid",
+      openid: true,
+      jwksUri: `https://login.microsoftonline.com/${tenantId}/discovery/v2.0/keys`,
       ...options,
     }));
   }
diff --git a/package.json b/package.json
index fb7e8cba9..80176564f 100644
--- a/package.json
+++ b/package.json
@@ -76,6 +76,9 @@
     "overrides": {
       "@types/react": "^18.2.0",
       "@types/react-dom": "^18.2.0"
+    },
+    "patchedDependencies": {
+      "openid-client@5.6.4": "patches/openid-client@5.6.4.patch"
     }
   },
   "engines": {
diff --git a/patches/openid-client@5.6.4.patch b/patches/openid-client@5.6.4.patch
new file mode 100644
index 000000000..a1930ea12
--- /dev/null
+++ b/patches/openid-client@5.6.4.patch
@@ -0,0 +1,13 @@
+diff --git a/lib/issuer.js b/lib/issuer.js
+index 3329e889fd3e3e8ddb3b0482675fe9610c675311..6cc55b1183b4fcff0306a78521b4daff35bec863 100644
+--- a/lib/issuer.js
++++ b/lib/issuer.js
+@@ -31,7 +31,7 @@ const ISSUER_DEFAULTS = {
+ class Issuer {
+   #metadata;
+   constructor(meta = {}) {
+-    const aadIssValidation = meta[AAD_MULTITENANT];
++    const aadIssValidation = true;
+     delete meta[AAD_MULTITENANT];
+     ['introspection', 'revocation'].forEach((endpoint) => {
+       // if intro/revocation endpoint auth specific meta is missing use the token ones if they
diff --git a/pnpm-lock.yaml b/pnpm-lock.yaml
index c1a110c3f..38a494876 100644
--- a/pnpm-lock.yaml
+++ b/pnpm-lock.yaml
@@ -8,6 +8,11 @@ overrides:
   '@types/react': ^18.2.0
   '@types/react-dom': ^18.2.0
 
+patchedDependencies:
+  openid-client@5.6.4:
+    hash: 2gg7ly76yaettle5dlvkpcfpny
+    path: patches/openid-client@5.6.4.patch
+
 importers:
 
   .:
@@ -169,8 +174,8 @@ importers:
         specifier: ^8.5.1
         version: 8.5.1
       openid-client:
-        specifier: ^5.6.4
-        version: 5.6.5
+        specifier: 5.6.4
+        version: 5.6.4(patch_hash=2gg7ly76yaettle5dlvkpcfpny)
       oslo:
         specifier: ^1.2.1
         version: 1.2.1
@@ -9523,8 +9528,8 @@ packages:
     resolution: {integrity: sha512-ur5UIdyw5Y7yEj9wLzhqXiy6GZ3Mwx0yGI+5sMn2r0N0v3cKJvUmFH5yPP+WXh9e0xfyzyJX95D8l088DNFj7A==}
     hasBin: true
 
-  openid-client@5.6.5:
-    resolution: {integrity: sha512-5P4qO9nGJzB5PI0LFlhj4Dzg3m4odt0qsJTfyEtZyOlkgpILwEioOhVVJOrS1iVH494S4Ee5OCjjg6Bf5WOj3w==}
+  openid-client@5.6.4:
+    resolution: {integrity: sha512-T1h3B10BRPKfcObdBklX639tVz+xh34O7GjofqrqiAQdm7eHsQ00ih18x6wuJ/E6FxdtS2u3FmUGPDeEcMwzNA==}
 
   optionator@0.9.4:
     resolution: {integrity: sha512-6IpQ7mKUxRcZNLIObR0hz7lxsapSSIYNZJwXPGeF0mTVqGKFIXj1DQcMoT22S3ROcLyY/rz0PWaWZ9ayWmad9g==}
@@ -18583,7 +18588,7 @@ snapshots:
 
   execa@5.1.1:
     dependencies:
-      cross-spawn: 7.0.3
+      cross-spawn: 7.0.5
       get-stream: 6.0.1
       human-signals: 2.1.0
       is-stream: 2.0.1
@@ -21016,7 +21021,7 @@ snapshots:
 
   opener@1.5.2: {}
 
-  openid-client@5.6.5:
+  openid-client@5.6.4(patch_hash=2gg7ly76yaettle5dlvkpcfpny):
     dependencies:
       jose: 4.15.5
       lru-cache: 6.0.0