Skip to content

Microsoft Entra ID custom OIDC federation guide

Last updated on

Set up a custom OpenID Connect (OIDC) federation with Microsoft Entra ID (formerly Azure Active Directory). The STACKIT IdP acts as the Relying Party (RP), and your Microsoft Entra ID tenant acts as the Identity Provider (IdP).

OIDC federations in STACKIT can be configured to create users automatically at first successful login (also known as JIT user creation), depending on your onboarding requirements.

  • Auto creation enabled: Users are created on first successful OIDC login if they don’t already exist.
  • Auto creation disabled: Users must already exist (for example, through SCIM provisioning or manual setup) before they can log in.

Define your preferred mode during onboarding so the federation can be configured accordingly.

To configure this federation with Entra ID, complete the following steps:

  1. Create Microsoft Application: You need to create the application on Microsoft in order to obtain the required credentials to set up the federation.
    https://learn.microsoft.com/en-us/entra/identity-platform/quickstart-register-app
    When creating the client, the redirect URL is
    https://accounts.stackit.cloud/ui/login/login/externalidp/callback
  2. Token claims: The application will need to configure the token in “Token configuration” with the following claims:
    • Token type: ID
    • Claims checked:
      • email
      • family_name
      • given_name
      • preferred_username
  3. Permissions: In order to retrieve userinfo we will need the following permissions from “API permissions” panel:
    • email
    • profile
    • User.Read
    • openid (usually found in “Other permissions granted for…”)

Open a support ticket with the following information:

General information

  • Federation type: OpenID Connect (OIDC)
  • Reason for integration: Brief explanation (for example, “Enable SSO using Entra ID”)
  • Email domains: All primary and secondary email domains your employees use with Entra ID (for example, @example.org and @foobar.com)
  • User account creation mode: Auto creation enabled or Auto creation disabled

OIDC-specific information

Confirm the federation works and report back to us with the results or any problems you face.

If you also want automated user and group synchronization from Microsoft Entra ID, continue with the Microsoft Entra ID custom SCIM provisioning guide.

If you have an existing federation using a different protocol and switch to OIDC with Microsoft Entra ID, the transition is seamless. As long as email addresses remain the same, users won’t lose access or data. User accounts are tied to email addresses, not federation methods.