TheArchive/zitadel
1
0
Fork 0
mirror of https://github.com/zitadel/zitadel.git synced 2025-11-06 20:12:36 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
0a88b27bd097e0cc9b4459b109bb68cf14a67d45
zitadel/docs/docs/guides/integrate/identity-providers/azure-ad.mdx
Silvan e083092605 docs(azure): update tenant id (#5720)
2023-04-20 10:55:19 +02:00

112 lines
5.2 KiB
Plaintext
Raw Blame History

---
title: Configure Azure AD as Identity Provider
sidebar_label: Azure AD
---
import GeneralConfigDescription from './_general_config_description.mdx';
import Intro from './_intro.mdx';
import CustomLoginPolicy from './_custom_login_policy.mdx';
import IDPsOverview from './_idps_overview.mdx';
import TestSetup from './_test_setup.mdx';
import Activate from './_activate.mdx';
<Intro provider="Azure AD"/>
## Azure AD Configuration
You need to have access to an AzureAD Tenant. If you do not yet have one follow [this guide from Microsoft](https://docs.microsoft.com/en-us/azure/active-directory/develop/quickstart-create-new-tenant) to create one for free.
### Register a new client
1. Browse to the [App registration menus create dialog](https://portal.azure.com/#view/Microsoft_AAD_RegisteredApps/CreateApplicationBlade/quickStartType~/null/isMSAApp~/false) to create a new app.
2. Give the application a name and choose who should be able to login (Single-Tenant, Multi-Tenant, Personal Accounts, etc.) This setting will also have an impact on how to configure the provider later on in ZITADEL.
3. Choose "Web" in the redirect uri field and add the URL:
- {your-domain}/ui/login/login/externalidp/callback
- Example redirect url for the domain `https://acme-gzoe4x.zitadel.cloud` would look like this: `https://acme-gzoe4x.zitadel.cloud/ui/login/login/externalidp/callback`
5. Save the Application (client) ID and the Directory (tenant) ID from the detail page
![Azure App Registration](/img/guides/azure_app_registration.png)
![Azure Client ID and Tenant ID](/img/guides/azure_client_tenant_id.png)
### Add client secret
Generate a new client secret to authenticate your user.
1. Click on client credentials on the detail page of the application or use the menu "Certificates & secrets"
2. Click on "+ New client secret" and enter a description and an expiry date, add the secret afterwards
3. Copy the value of the secret. You will not be able to see the value again after some time
![Azure Client Secret](/img/guides/azure_client_secret.png)
### Token configuration
To allow ZITADEL to get the information from the authenticating user you have to configure what kind of optional claims should be returned in the token.
1. Click on Token configuration in the side menu
2. Click on "+ Add optional claim"
3. Add email, family_name, given_name and preferred_username to the id token
![Azure Token configuration](/img/guides/azure_token_configuration.png)
### API permissions
To be able to get all the information that ZITADEL needs, you have to configure the correct permissions.
1. Go to "API permissions" in the side menu
2. Make sure the permissions include "Microsoft Graph": email, profile and User.Read
3. The "Other permissions granted" should include "Microsoft Graph: openid"
![Azure API permissions](/img/guides/azure_api_permissions.png)
## ZITADEL Configuration
### Add custom login policy
<CustomLoginPolicy/>
### Go to the IdP Providers Overview
<IDPsOverview templates="Microsoft"/>
### Create a new Azure AD Provider
The Microsoft template has everything you need preconfigured.
You only have to add the client ID and secret, you have created in the step before.
You can configure the following settings if you like, a useful default will be filled if you don't change anything:
**Scopes**: The scopes define which scopes will be sent to the provider, `openid`, `profile`, and `email` are prefilled.
This information will be taken to create/update the user within ZITADEL. Make sure to also add `User.Read`. ZITADEL ensures that at least `openid` and `User.Read` scopes are always sent.
**Email Verified**: Azure AD doesn't send the email verified claim in the users token, if you don't enable this setting.
The user is then created with an unverified email, which results in an email verification message.
If you want to avoid that, make sure to enable "Email verified".
In that case, the user is created with a verified email address.
**Tenant Type**: Configure the tenant type according to what you have chosen in the settings of your Azure AD application previously.
- Common: Choose common if you want all Microsoft accounts being able to login.
In this case, configure "Accounts in any organizational directory and personal Microsoft accounts" in your Azure AD App.
- Organizations: Choose organization if you have Azure AD Tenants and no personal accounts. (You have configured either "Accounts in this organization" or "Accounts in any organizational directory" on your Azure APP)
- Consumers: Choose this if you want to allow public accounts. (In your Azure AD App you have configured "Personal Microsoft accounts only")
**Tenant ID**: If you have selected *Tenant ID* as *Tenant Type*, you have to enter the *Directory (Tenant) ID* into the *Tenant ID* field, copied previously from the Azure App configuration.
<GeneralConfigDescription provider_account="Microsoft account" />
![Azure Provider](/img/guides/zitadel_azure_provider2.png)
### Activate IdP
<Activate/>
![Activate Azure AD](/img/guides/zitadel_activate_azure.png)
## Test the setup
<TestSetup loginscreen="your Microsoft login"/>
![Azure AD Button](/img/guides/zitadel_login_azure.png)
![Azure AD Login](/img/guides/microsoft_login.png)
Reference in New Issue View Git Blame Copy Permalink