Configure Azure AD as Identity Provider

This guides shows you how to connect Azure AD as an identity provider in ZITADEL.

info

In ZITADEL you can connect an Identity Provider (IdP) like Azure AD to your instance and provide it as default to all organizations. Also, you can register the IdP to a specific organization only. If you allow so, your organizations members can do the same in self-service.

Azure AD Configuration

You need to have access to an AzureAD Tenant. If you do not yet have one follow this guide from Microsoft to create one for free.

Register a new client

1. Browse to the App registration menus create dialog to create a new app.
2. Give the application a name and choose who should be able to login (Single-Tenant, Multi-Tenant, Personal Accounts, etc.) This setting will also have an impact on how to configure the provider later on in ZITADEL.
3. Choose "Web" in the redirect uri field and add the URL:

• {your-domain}/ui/login/login/externalidp/callback
• Example redirect url for the domain https://acme-gzoe4x.zitadel.cloud would look like this: https://acme-gzoe4x.zitadel.cloud/ui/login/login/externalidp/callback

5. Save the Application (client) ID and the Directory (tenant) ID from the detail page

Add client secret

Generate a new client secret to authenticate your user.

1. Click on client credentials on the detail page of the application or use the menu "Certificates & secrets"
2. Click on "+ New client secret" and enter a description and an expiry date, add the secret afterwards
3. Copy the value of the secret. You will not be able to see the value again after some time

Token configuration

To allow ZITADEL to get the information from the authenticating user you have to configure what kind of optional claims should be returned in the token.

1. Click on Token configuration in the side menu
2. Click on "+ Add optional claim"
3. Add email, family_name, given_name and preferred_username to the id token

API permissions

To be able to get all the information that ZITADEL needs, you have to configure the correct permissions.

1. Go to "API permissions" in the side menu
2. Make sure the permissions include "Microsoft Graph": email, profile and User.Read
3. The "Other permissions granted" should include "Microsoft Graph: openid"

ZITADEL Configuration

Add custom login policy

The login policy can be configured on two levels. Once as default on the instance and this can be overwritten for each organization. The only difference is where you configure it. Go either to the settings page of a specific organization or to the settings page of your instance. Instance: $YOUR-DOMAIN/ui/console/settings?id=general Organization: Choose the organization in the menu and go to $YOUR-DOMAIN/ui/console/org-settings?id=login

1. Go to the Settings
2. Modify your login policy in the menu "Login Behavior and Security"
3. Enable the attribute "External IDP allowed"

Go to the IdP Providers Overview

Go to the settings page of your instance or organization and choose "Identity Providers".

In the table you can see all the providers you have configured. Also, you see all provider templates that are available.

Select the Microsoft Provider template.

Create a new Azure AD Provider

The Microsoft template has everything you need preconfigured. You only have to add the client ID and secret, you have created in the step before.

You can configure the following settings if you like, a useful default will be filled if you don't change anything:

Scopes: The scopes define which scopes will be sent to the provider, openid, profile, and email are prefilled. This information will be taken to create/update the user within ZITADEL. Make sure to also add User.Read. ZITADEL ensures that at least openid and User.Read scopes are always sent.

Email Verified: Azure AD doesn't send the email verified claim in the users token, if you don't enable this setting. The user is then created with an unverified email, which results in an email verification message. If you want to avoid that, make sure to enable "Email verified". In that case, the user is created with a verified email address.

Tenant Type: Configure the tenant type according to what you have chosen in the settings of your Azure AD application previously.

• Common: Choose common if you want all Microsoft accounts being able to login. In this case, configure "Accounts in any organizational directory and personal Microsoft accounts" in your Azure AD App.
• Organizations: Choose organization if you have Azure AD Tenants and no personal accounts. (You have configured either "Accounts in this organization" or "Accounts in any organizational directory" on your Azure APP)
• Consumers: Choose this if you want to allow public accounts. (In your Azure AD App you have configured "Personal Microsoft accounts only")

Tenant ID: If you have selected Tenant ID as Tenant Type, you have to enter the Directory (Tenant) ID into the Tenant ID field, copied previously from the Azure App configuration.

Automatic creation: If this setting is enabled the user will be created automatically within ZITADEL, if it doesn't exist.

Automatic update: If this setting is enabled, the user will be updated within ZITADEL, if some user data is changed withing the provider. E.g if the lastname changes on the Microsoft account, the information will be changed on the ZITADEL account on the next login.

Account creation allowed: This setting determines if account creation within ZITADEL is allowed or not.

Account linking allowed: This setting determines if account linking is allowed. When logging in with a Microsoft account, a linkable ZITADEL account has to exist already.

info

Either account creation or account linking have to be enabled. Otherwise, the provider can't be used.

Activate IdP

Once you created the provider, it is listed in the providers overview. Activate it by selecting the tick with the tooltip set as available.

Test the setup

To test the setup, use incognito mode and browse to your login page. You see a new button which redirects you to your Microsoft login screen.

By default, ZITADEL shows what you define in the instance settings. If you overwrite the instance settings for an organization, you need to send the organization scope in your auth request.

The organization scope looks like this: urn:zitadel:iam:org:id:{id}. You can read more about the reserved scopes or use the ZITADEL OIDC Playground to see what happens with the login when you send different scopes.