Skip to content
Developer Docs
Fides Configuration
OAuth and OIDC for Login
Configuring OIDC with Microsoft Entra ID

Configuring Microsoft Entra ID

Follow the steps described here to configure Fides and Microsoft Entra ID for login. This will need to be completed in collaboration with the team that manages Microsoft Entra ID at your organization.

Step by step instructions for configuring Microsoft Entra ID

  1. Sign in to the Azure portal (opens in a new tab) and navigate to "Microsoft Entra ID" > "App registrations".

  2. Click "New registration" to create a new application registration.

  3. Give your application a name (e.g., "Fides SSO") and select the appropriate account types for your organization.

  4. For the redirect URI, select "Web" and enter: https://<yourfidesdomain.com>/login/azure

  5. Click "Register" to create the application.

  6. From the application overview page, note down the following information:

    • Application (client) ID: This will be your Client ID
    • Directory (tenant) ID: This will be used to construct your authorization and token URLs

  7. Navigate to "Certificates & secrets" in the left menu and create a new client secret:

    • Click "New client secret"
    • Add a description and select an expiration period
    • Copy the generated secret value immediately (you won't be able to see it again)

  8. Configure the required API permissions:

    • Go to "API permissions" in the left menu
    • Click "Add a permission"
    • Select "Microsoft Graph" > "Delegated permissions"
    • Add the following permissions:
      • openid
      • email
      • profile

  9. Construct your authorization and token URLs using your tenant ID:

    • Authorization URL: https://login.microsoftonline.com/<tenant-id>/oauth2/v2.0/authorize
    • Token URL: https://login.microsoftonline.com/<tenant-id>/oauth2/v2.0/token
    • Replace <tenant-id> with your actual Directory (tenant) ID

  10. Return to Fides to configure the integration and go to the "Settings > Organization" screen.

  11. Click on "Add SSO Provider"

  12. Fill in the fields using the information from Microsoft Entra ID:

    • Select Azure from the Provider list.
    • Fill in the identifier with a unique name (e.g., "azure"). This field is case sensitive so double check everything before saving.
    • Name the integration. This will show on the Fides login screen to your users when this method is fully configured.
    • Copy the Client ID and Client Secret from Microsoft Entra ID and paste them in the fields.
    • Enter the Authorization URL you constructed in step 9.
    • Enter the Token URL you constructed in step 9.
    • Click "Save".

You now have Microsoft Entra ID configured! Add some users so that you can test the integration.

Adding users

In this version of OIDC support, you must still add users from the Fides admin UI. When adding a user who will sign in via Microsoft Entra ID, set both their username and email as the email address that is provided by Microsoft Entra ID. Once you have created users, assign them the appropriate role and they will be able to login via Microsoft Entra ID, provided they have the appropriate permissions in your Microsoft Entra ID organization.

Important Notes

  • Microsoft Entra ID requires that users have verified email addresses. Users with unverified email addresses will not be able to authenticate.
  • The Microsoft Entra ID integration requires custom authorization and token URLs that include your tenant ID.
  • Make sure your Microsoft Entra ID application has the necessary API permissions configured.
  • If you're using Microsoft Entra ID B2C or a custom domain, the authorization and token URLs may be different. Consult your Microsoft Entra ID administrator for the correct URLs.
Configuring OIDC with Google WorkspaceConfiguring OIDC with a Custom Provider