Microsoft Entra ID custom OIDC federation guide

Set up a custom OpenID Connect (OIDC) federation with Microsoft Entra ID (formerly Azure Active Directory). The STACKIT IdP acts as the Relying Party (RP), and your Microsoft Entra ID tenant acts as the Identity Provider (IdP).

For most Microsoft Entra ID customers, the recommended path is the Microsoft Entra ID Enterprise App (Preview). Use this guide only if you need a custom Microsoft Entra ID application or can’t use the Enterprise App yet.

Step 0: Create an application

To configure this federation with Entra ID, complete the following steps:

1. Create Microsoft Application: You need to create the application on Microsoft in order to obtain the required credentials to set up the federation.

   https://learn.microsoft.com/en-us/entra/identity-platform/quickstart-register-app

   When creating the client, the redirect URL’s is

   https://accounts.stackit.cloud/ui/login/login/externalidp/callback

2. Token claims: The application will need to configure the token in “Token configuration” with the following claims:
   • Token type: ID
   • Claims checked:
     • email
     • family_name
     • given_name
     • preferred_username
3. Permissions: In order to retrieve userinfo we will need the following permissions from “API permissions” panel:
   • email
   • profile
   • User.Read
   • openid (usually found in “Other permissions granted for…”)

Step 1: Open a support ticket

Open a support ticket with the following information:

General information

• Federation type: OpenID Connect (OIDC)
• Reason for integration: Brief explanation (for example, “Enable SSO using Entra ID”)
• Email domains: All primary and secondary email domains your employees use with Entra ID (for example, @example.org and @foobar.com)

OIDC-specific information

Required field	Description	Example input
Client ID	ID assigned to STACKIT service in your Entra ID application registration in Step 0	Application (client) ID
Client secret	Secret key generated for the Client ID	Provide securely
Scopes	Required permissions (at least openid required)	openid email profile
Display name (optional)	Internal name for this federation (use lowercase words separated by underscores)	entra_id_acme_corp

Tenant configuration

Specify which type of users will authenticate. This determines the correct issuer endpoint:

Tenant type	Your input	Notes
Tenant ID (preferred)	Your Directory (tenant) ID	Unique GUID for your organization’s specific tenant, which allows you to specify the preferred policycommon: Allows access to anyone having a Microsoft account.organizations: Only for people with work accounts, but from any business.consumers: Only for personal accounts of Microsoft, from anywhere.

Step 2: Verification

Confirm the federation works and report back to us so or any problem faced.

Optional next step: Enable provisioning

If you also want automated user and group synchronization from Microsoft Entra ID, continue with the Microsoft Entra ID custom SCIM provisioning guide.

Changing federation type

If you have an existing federation using a different protocol and switch to OIDC with Microsoft Entra ID, the transition is seamless. As long as email addresses remain the same, users won’t lose access or data. User accounts are tied to email addresses, not federation methods.