Skip to content
Developer Docs
Fides Configuration
OAuth and OIDC for Login
Configuring OIDC with Azure AD

Configuring Azure AD

Follow the steps described here to configure Fides and Azure Active Directory for login. This will need to be completed in collaboration with the team that manages Azure AD at your organization.

Step by step instructions for configuring Azure AD

  1. Sign in to the Azure portal (opens in a new tab) and navigate to "Azure Active Directory" > "App registrations".

  2. Click "New registration" to create a new application registration.

  3. Give your application a name (e.g., "Fides SSO") and select the appropriate account types for your organization.

  4. For the redirect URI, select "Web" and enter: https://<yourfidesdomain.com>/login/azure

  5. Click "Register" to create the application.

  6. From the application overview page, note down the following information:

    • Application (client) ID: This will be your Client ID
    • Directory (tenant) ID: This will be used to construct your authorization and token URLs

  7. Navigate to "Certificates & secrets" in the left menu and create a new client secret:

    • Click "New client secret"
    • Add a description and select an expiration period
    • Copy the generated secret value immediately (you won't be able to see it again)

  8. Configure the required API permissions:

    • Go to "API permissions" in the left menu
    • Click "Add a permission"
    • Select "Microsoft Graph" > "Delegated permissions"
    • Add the following permissions:
      • openid
      • email
      • profile

  9. Construct your authorization and token URLs using your tenant ID:

    • Authorization URL: https://login.microsoftonline.com/<tenant-id>/oauth2/v2.0/authorize
    • Token URL: https://login.microsoftonline.com/<tenant-id>/oauth2/v2.0/token
    • Replace <tenant-id> with your actual Directory (tenant) ID

  10. Return to Fides to configure the integration and go to the "Settings > Organization" screen.

  11. Click on "Add SSO Provider"

  12. Fill in the fields using the information from Azure AD:

    • Select Azure from the Provider list.
    • Fill in the identifier with a unique name (e.g., "azure"). This field is case sensitive so double check everything before saving.
    • Name the integration. This will show on the Fides login screen to your users when this method is fully configured.
    • Copy the Client ID and Client Secret from Azure AD and paste them in the fields.
    • Enter the Authorization URL you constructed in step 9.
    • Enter the Token URL you constructed in step 9.
    • Click "Save".

You now have Azure AD configured! Add some users so that you can test the integration.

Adding users

In this version of OIDC support, you must still add users from the Fides admin UI. When adding a user who will sign in via Azure AD, set both their username and email as the email address that is provided by Azure AD. Once you have created users, assign them the appropriate role and they will be able to login via Azure AD, provided they have the appropriate permissions in your Azure AD organization.

Important Notes

  • Azure AD requires that users have verified email addresses. Users with unverified email addresses will not be able to authenticate.
  • The Azure AD integration requires custom authorization and token URLs that include your tenant ID.
  • Make sure your Azure AD application has the necessary API permissions configured.
  • If you're using Azure AD B2C or a custom domain, the authorization and token URLs may be different. Consult your Azure AD administrator for the correct URLs.
Configuring OIDC with Google WorkspaceData Mapping