Skip to content

website/docs: add entra id scim source #17357

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 13 commits into from
Oct 9, 2025
Merged

website/docs: add entra id scim source #17357

Show file tree
Hide file tree
Changes from 3 commits
Commits
Show all changes
13 commits
Select commit Hold shift + click to select a range
51d639a
Create directories, oauth, scim and overview docs
dewi-tik Oct 9, 2025
99da239
Minor changes to overview
dewi-tik Oct 9, 2025
edeb5b7
Update sidebar and complete docs
dewi-tik Oct 9, 2025
597288c
Update website/docs/users-sources/sources/social-logins/entra-id/scim…
dewi-tik Oct 9, 2025
1072635
Update website/docs/users-sources/sources/social-logins/entra-id/scim…
dewi-tik Oct 9, 2025
c75b020
Apply suggestions
dewi-tik Oct 9, 2025
7e05cb1
Fix table of contents
dewi-tik Oct 9, 2025
d2c8ddf
Merge remote-tracking branch 'origin/main' into website/docs--add-ent…
dewi-tik Oct 9, 2025
77735d8
Language change
dewi-tik Oct 9, 2025
921ffcd
Language change
dewi-tik Oct 9, 2025
38676fb
Apply dominic's suggestions
dewi-tik Oct 9, 2025
b2de9b8
Update website/docs/users-sources/sources/social-logins/entra-id/oaut…
dewi-tik Oct 9, 2025
ca2f9e8
Apply suggestions from code review
dewi-tik Oct 9, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
13 changes: 12 additions & 1 deletion website/docs/sidebar.mjs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -553,8 +553,19 @@ const items = [
},
items: [
"users-sources/sources/social-logins/apple/index",
"users-sources/sources/social-logins/entra-id/index",
"users-sources/sources/social-logins/discord/index",
{
type: "category",
label: "Entra ID",
link: {
type: "doc",
id: "users-sources/sources/social-logins/entra-id/index",
},
items: [
"users-sources/sources/social-logins/entra-id/oauth/index",
"users-sources/sources/social-logins/entra-id/scim/index",
],
},
"users-sources/sources/social-logins/facebook/index",
"users-sources/sources/social-logins/github/index",
{
Expand Down
98 changes: 12 additions & 86 deletions website/docs/users-sources/sources/social-logins/entra-id/index.mdx
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,99 +1,25 @@
---
title: Entra ID
support_level: community
title: Entra ID Identity Providers
sidebar_label: Entra ID
tags:
- source
- entra
- azure
- active-directory
- scim
- oauth
---

## Preparation
Entra ID provides several services that can be integrated with authentik:

The following placeholders are used in this guide:
- **OAuth integration** allows users to sign into authentik using their Entra ID credentials. Accounts and groups are created upon first login.
- **SCIM integration** provisions users and groups from Entra ID to authentik.
- Optionally, both integrations can be used in conjunction so that users and groups are provisioned before a user signs in using their Entra ID credentials. This is the recommended setup for organizations with large numbers of users and groups.

- `authentik.company` is the FQDN of the authentik install.
## OAuth

## Entra ID configuration
The [Entra ID OAuth](./oauth/index.mdx) guide explains how to set up OAuth 2.0 as an authentication method between Entra ID and authentik.

1. Log in to [Entra ID](https://entra.microsoft.com) using a [global administrator](https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/permissions-reference#global-administrator) account.
2. Navigate to **Applications** > **App registrations**.
3. Click **New registration** and set the following required configurations:
- **Name**: provide a descriptive name (e.g. `authentik`).
- Under **Supported account types**: select the account type that applies to your use-case (e.g. `Accounts in this organizational directory only (Default Directory only - Single tenant)`).
- Under **Redirect URI**:
- **Platform**: `Web`
- **URI**: `https://authentik.company/source/oauth/callback/entra-id/
## SCIM

4. Click **Register**. Once the registration is complete, the **Overview** tab of the newly created authentik app will open. Take note of the `Application (client) ID`. If you selected `Accounts in this organizational directory only (Default Directory only - Single tenant)` as the **Supported account types**, also note the `Directory (tenant) ID`. These values will be needed later when configuring authentik.
5. In the leftmost sidebar, navigate to **Certificates & secrets**.
6. Select the **Client secrets** tab and click **New Secret**. Configure the following required settings:
- **Description**: provide a description for the secret (e.g. `authentik secret`.
- **Expires**: choose an expiration period. As authentik does not yet support automatic secret rotation, either manual rotation or API-based updates are required. As a result, a duration of at least 12 months is recommended.
7. Copy the secret's value from the **Value** column.

:::info
The secret value is only displayed once at the time of creation. Make sure to copy and store it securely, as it cannot be retrieved later.
:::

8. In the sidebar, navigate to **API Permissions**, then click **Add a permission** and select **Microsoft Graph** as the API.
9. Select **Delegated permissions** as the permission type and assign the following permissions:
- Under **OpenID Permissions**: select `email`, `profile`, and `openid`.
- Under **Group Member** _(optional)_: if you need authentik to sync group membership information from Entra ID, select the `GroupMember.Read.All` permission.
10. Click **Add permissions**.
11. _(optional)_ If the `GroupMember.Read.All` permission has been selected, under **Configured permissions**, click **Grant admin consent for default directory**.

## authentik configuration

To support the integration of Entra ID with authentik, you need to create an Entra ID OAuth source in authentik.

### Create Entra ID OAuth source

1. Log in to authentik as an administrator and open the authentik Admin interface.
2. Navigate to **Directory** > **Federation and Social login**, click **Create**, and then configure the following settings:
- **Select type**: select **Entra ID OAuth Source** as the source type.
- **Create Entra ID OAuth Source**: provide a name, a slug which must match the slug used in the Entra ID `Redirect URI`, and the following required configurations:
- Under **Protocol Settings**:
- **Consumer key**: `Application (client) ID` from Entra ID.
- **Consumer secret**: value of the secret created in Entra ID.
- **Scopes**_(optional)_: if you need authentik to sync group membership information from Entra ID, add the `https://graph.microsoft.com/GroupMember.Read.All` scope.
- Under **URL Settings**:
- For **Single tenant** Entra ID applications:
- **Authorization URL**: `https://login.microsoftonline.com/<directory_(tenant)_id>/oauth2/v2.0/authorize`
- **Access token URL**: `https://login.microsoftonline.com/<directory_(tenant)_id>/oauth2/v2.0/token`
- **Profile URL**: `https://graph.microsoft.com/v1.0/me`
- **OIDC JWKS URL**: `https://login.microsoftonline.com/<directory_(tenant)_id>/discovery/v2.0/keys`
- For **Multi tenant** Entra ID applications:
- **Authorization URL**: `https://login.microsoftonline.com/common/oauth2/v2.0/authorize`
- **Access token URL**: `https://login.microsoftonline.com/common/oauth2/v2.0/token`
- **Profile URL**: `https://graph.microsoft.com/v1.0/me`
- **OIDC JWKS URL**: `https://login.microsoftonline.com/common/discovery/v2.0/keys`

3. Click **Save**.

:::info
When group membership information is synced from Entra ID, authentik creates all groups that a user is a member of.
:::

:::info
For instructions on how to display the new source on the authentik login page, refer to the [Add sources to default login page documentation](../../index.md#add-sources-to-default-login-page).
:::

### Machine-to-machine authentication :ak-version[2024.12]

If using [Machine-to-Machine](../../../../add-secure-apps/providers/oauth2/client_credentials.mdx#jwt-authentication) authentication, some specific steps need to be considered.

When getting the JWT token from Entra ID, set the scope to the **Application ID URI**, and _not_ the Graph URL; otherwise the JWT will be in an invalid format.

```http
POST /<entra_tenant_id>/oauth2/v2.0/token/ HTTP/1.1
Host: login.microsoftonline.com
Content-Type: application/x-www-form-urlencoded
grant_type=client_credentials&
client_id=<application_client_id>&
scope=api://<application_client_id>/.default&
client_secret=<application_client_secret>
```

The JWT returned from the request above can be used in authentik and exchanged for an authentik JWT.
The [Entra ID SCIM](./scim/index.mdx) guide explains how you can provision users and groups from Entra ID into authentik via SCIM.
118 changes: 118 additions & 0 deletions website/docs/users-sources/sources/social-logins/entra-id/oauth/index.mdx
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,118 @@
---
title: Entra ID OAuth
tags:
- source
- entra
- azure
- active-directory
- oauth
---

Allows users to authenticate using their Entra ID credentials.

## Preparation

The following placeholders are used in this guide:

- `authentik.company` is the FQDN of the authentik install.

## Entra ID configuration

To integrate Entra ID with authentik you will need to create an App Registration in the Entra ID portal.

1. Log in to [Entra ID](https://entra.microsoft.com) using a [global administrator](https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/permissions-reference#global-administrator) account.
2. Navigate to **Applications** > **App registrations**.
3. Click **New registration** and set the following required configurations:
- **Name**: provide a descriptive name (e.g. `authentik`).
- Under **Supported account types**: select the account type that applies to your use-case (e.g. `Accounts in this organizational directory only (Default Directory only - Single tenant)`).
- Under **Redirect URI**:
- **Platform**: `Web`
- **URI**: `https://authentik.company/source/oauth/callback/entra-id/`

4. Click **Register**. Once the registration is complete, the **Overview** tab of the newly created authentik app will open. Take note of the `Application (client) ID`. If you selected `Accounts in this organizational directory only (Default Directory only - Single tenant)` as the **Supported account types**, also note the `Directory (tenant) ID`. These values will be needed later when configuring authentik.
5. In the leftmost sidebar, navigate to **Certificates & secrets**.
6. Select the **Client secrets** tab and click **New Secret**. Configure the following required settings:
- **Description**: provide a description for the secret (e.g. `authentik secret`).
- **Expires**: choose an expiration period. As authentik does not yet support automatic secret rotation, either manual rotation or API-based updates are required. As a result, a duration of at least 12 months is recommended.
7. Copy the secret's value from the **Value** column.

:::info
The secret value is only displayed once at the time of creation. Make sure to copy and store it securely, as it cannot be retrieved later.
:::

8. In the sidebar, navigate to **API Permissions**, then click **Add a permission** and select **Microsoft Graph** as the API.
9. Select **Delegated permissions** as the permission type and assign the following permissions:
- Under **OpenID Permissions**: select `email`, `profile`, and `openid`.
- Under **User**: select `User.Read`.
- Under **Group Member** _(optional)_: if you need authentik to sync group membership information from Entra ID, select the `GroupMember.Read.All` permission.
10. Click **Add permissions**.
11. Under **Configured permissions**, click **Grant admin consent for default directory**.

## authentik configuration

To support the integration of Entra ID with authentik, you need to create an Entra ID OAuth source in authentik.

### Create Entra ID OAuth source
Copy link
Contributor

@tanberry tanberry Oct 9, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If time now great, if not in a future PR, but because the process of creating an OAuth source for Entra, or any other provider, is so different from one another, we should link to each different process from the OAuth Source "home page" at /users-sources/sources/protocols/oauth/. Because we can't really have a section there called "Cretae an OAuth source"... but we can link to the process under each of the specific sources section.


1. Log in to authentik as an administrator and open the authentik Admin interface.
2. Navigate to **Directory** > **Federation and Social login**, click **Create**, and then configure the following settings:
- **Select type**: select **Entra ID OAuth Source** as the source type.
- **Create Entra ID OAuth Source**: provide a name, a slug which must match the slug used in the Entra ID `Redirect URI`, and the following required configurations:
- Under **Protocol Settings**:
- **Consumer key**: `Application (client) ID` from Entra ID.
- **Consumer secret**: value of the secret created in Entra ID.
- **Scopes** _(optional)_: if you need authentik to sync group membership information from Entra ID, add the `https://graph.microsoft.com/GroupMember.Read.All` scope.
- Under **URL Settings**:
- For **Single tenant** Entra ID applications:
- **Authorization URL**: `https://login.microsoftonline.com/<directory_(tenant)_id>/oauth2/v2.0/authorize`
- **Access token URL**: `https://login.microsoftonline.com/<directory_(tenant)_id>/oauth2/v2.0/token`
- **Profile URL**: `https://graph.microsoft.com/v1.0/me`
- **OIDC JWKS URL**: `https://login.microsoftonline.com/<directory_(tenant)_id>/discovery/v2.0/keys`
- For **Multi tenant** Entra ID applications:
- **Authorization URL**: `https://login.microsoftonline.com/common/oauth2/v2.0/authorize`
- **Access token URL**: `https://login.microsoftonline.com/common/oauth2/v2.0/token`
- **Profile URL**: `https://graph.microsoft.com/v1.0/me`
- **OIDC JWKS URL**: `https://login.microsoftonline.com/common/discovery/v2.0/keys`

3. Click **Save**.

:::info Group Membership
When group membership information is synced from Entra ID, authentik creates all groups that a user is a member of. This sync process is carried out upon each user login which can cause login delays for organizations with large numbers of groups.

For organizations with larger numbers of users and groups, we recommend using the [Entra ID SCIM integration](../oauth/) to provision users and groups. These users are then automatically linked to matching users logging in via this Entra ID OAuth source.
:::

:::info Display new source on login screen
For instructions on how to display the new source on the authentik login page, refer to the [Add sources to default login page documentation](../../../index.md#add-sources-to-default-login-page).
:::

:::info Embed new source in flow :ak-enterprise
For instructions on embedding the new source within a flow, such as an authorization flow, refer to the [Source Stage documentation](../../../../../../add-secure-apps/flows-stages/stages/source).
:::

### Machine-to-machine authentication :ak-version[2024.12]

If using [Machine-to-Machine](../../../../../add-secure-apps/providers/oauth2/client_credentials.mdx#jwt-authentication) authentication, some specific steps need to be considered.

When getting the JWT token from Entra ID, set the scope to the **Application ID URI**, and _not_ the Graph URL; otherwise the JWT will be in an invalid format.

```http
POST /<entra_tenant_id>/oauth2/v2.0/token/ HTTP/1.1
Host: login.microsoftonline.com
Content-Type: application/x-www-form-urlencoded
grant_type=client_credentials&
client_id=<application_client_id>&
scope=api://<application_client_id>/.default&
client_secret=<application_client_secret>
```

The JWT returned from the request above can be used in authentik and exchanged for an authentik JWT.

## Source property mappings

Source property mappings allow you to modify or gather extra information from sources. See the [overview](../../../property-mappings/index.md) for more information.

## Resources

- [Entra ID Documentation - Register an application in Microsoft Entra ID](https://learn.microsoft.com/en-us/entra/identity-platform/quickstart-register-app)
Loading
Loading