Skip to content
Products
Platform
Developer Tools
Portal

Microsoft Entra ID federation guide

Set up OpenID Connect (OIDC) federation with Microsoft Entra ID (formerly Azure Active Directory). The STACKIT IdP acts as the Relying Party (RP), and your Microsoft Entra ID tenant acts as the Identity Provider (IdP).

Step 0: Create an application

Section titled “Step 0: Create an application”

In order to configure this federation with Entra ID we need the following steps to be completed from your side:

  1. Create Microsoft Application: You need to create the application on Microsoft in order to obtain the required credentials to set up the federation. 
    https://learn.microsoft.com/en-us/entra/identity-platform/quickstart-register-app
    When creating the client, the redirect URL’s is 
    https://accounts.stackit.cloud/ui/login/login/externalidp/callback
  2. Token claims: The application will need to configure the token in “Token configuration” with the following claims:
    • Token type: ID
    • Claims checked:
      • email
      • family_name
      • given_name
      • preferred_username
  3. Permissions: In order to retrieve userinfo we will need the following permissions from “API permissions” panel:
    • email
    • profile
    • User.Read
    • openid (usually found in “Other permissions granted for…”)

Step 1: Open a support ticket

Section titled “Step 1: Open a support ticket”

Open a support ticket with the following information:

General information

  • Federation type: OpenID Connect (OIDC)
  • Reason for integration: Brief explanation (for example, “Enable SSO using Entra ID”)
  • Email domains: All primary and secondary email domains your employees use via Entra ID (for example, @example.org and @foobar.com)

OIDC-specific information

Required fieldDescriptionExample input
Client IDID assigned to STACKIT service in your Entra ID application registration in Step 0Application (client) ID
Client secretSecret key generated for the Client IDProvide securely
ScopesRequired permissions (at least openid required)openid email profile
Display name (optional)Internal name for this federation (use snake_case)entra_id_acme_corp

Tenant configuration

Section titled “Tenant configuration”

Specify which type of users will authenticate. This determines the correct issuer endpoint:

Tenant typeYour inputNotes
Tenant ID (preferred)Your Directory (tenant) IDUnique GUID for your organization’s specific tenant, which allows you to specify the preferred policycommon: Allows access to anyone having a Microsoft account.organizations: Only for people with work accounts, but from any business.consumers: Only for personal accounts of Microsoft, from anywhere.

Step 2: Verification

Section titled “Step 2: Verification”

Confirm the federation works and report back to us so or any problem faced.

Changing federation type

Section titled “Changing federation type”

If you have an existing federation using a different protocol and switch to OIDC via Microsoft Entra ID, the transition is seamless. As long as email addresses remain the same, users won’t lose access or data. User accounts are tied to email addresses, not federation methods.