Microsoft Azure (OIDC - OpenID Connect)

Owned by Ryan Seymour, created
Apr 05, 2024
4 min read

Content

Microsoft Azure (OIDC - OpenID Connect) - Getting Started

This document covers the identity provider setup for Microsoft Azure and OIDC OpenID Connect.

Microsoft Azure (OIDC - OpenID Connect) - Setup

  1. Login to Azure Portal (https://portal.azure.com)

  2. Azure services > select Microsoft Entra ID

image-20240405-144051.png

  1. Click on App Registrations

image-20240405-144116.png

  1. Click on New Registration

    1. Name the application

    2. Select 'Accounts in this organizational directory only (Default Directory Only - Single Tenant)

    3. Select Web and add web redirect URL sign-on URLS: {your-domain}/ui/ login/login/externalidp/callback

d. Register

  1. Once the application registered go to API permission > Add API Delegated permissions for email, offline_access, OpenID, profile

  1. Grant admin permission

  1. Copy Client ID

  1. Click on Certificates and Secrets

    1. Create a New Client Secret and copy the value

  1. Copy the highlighted part for the issuer:

Zitadel Configuration

https://authprod.myconnectsecure.com

  1. Add a custom login policy

  2. Go to the Settings

  3. Modify your login policy in the menu "Login Behavior and Security."

  4. Enable the attribute "External IDP allowed."

Go to the IDP Providers Overview

Go to the settings page of your instance or organization and choose ‘Identity Providers’

Select Generic OIDC

  • Name: e.g Azure_open_Id

  • Issuer: The OpenID Connect metadata document https:// login.microsoftonline.com/be659486-c3d1-4ec8-9607-d70540561d0c/ v2.0

  • Client-ID: add which is copied from the Azure portal

  • Client secret: add which is copied from the Azure portal

  • Tenant Type: Configure the tenant type according to what you have chosen in your Azure AD application settings.

    • Common: Choose common if you want all Microsoft accounts to be able to log in. Configure "Accounts in any organizational directory and personal Microsoft accounts" in your Azure AD App.

    • Organizations: Choose an organization if you have Azure AD Tenants and no personal accounts. (You have configured either "Accounts in this organization" or "Accounts in any organizational directory" on your Azure APP)

    • Consumers: Choose this if you want to allow public accounts. (In your Azure AD App, you have configured "Personal Microsoft accounts only.")

  • Tenant ID: If you selected Tenant ID as Tenant Type, you must enter the Directory (Tenant) ID into the Tenant ID field, which was copied previously from the Azure App configuration.

  • Scopes: (openid, profile, email is preconfigured)

  • Automatic Creation: If this setting is enabled, the user will be created automatically within ZITADEL if it doesn't exist.

  • Automatic Update: If this setting is enabled, the user will be updated within ZITADEL if some user data is changed within the provider. For example, if the last name changes on the Azure account, the information will be changed on the ZITADEL account on the next login.

  • Account creation allowed: This setting determines if account creation within ZITADEL is allowed or not.

  • Account linking allowed: This setting determines whether account linking is allowed. When logging in with a Microsoft Azure OIDC account, a linkable ZITADEL account must already exist.

Need Support?

Contact our support team by sending an email to support@connectsecure.com or by visiting our Partner Portal, where you can create, view, and manage your tickets.

https://cybercns.freshdesk.com/en/support/login

Â