Identity Cloud

Set up Microsoft Azure AD as a federation identity provider

To set up Azure AD as a federation identity provider, perform the steps in the following sections in the order presented.

Azure AD is also known by the new name Microsoft Entra ID. Refer to New name for Azure Active Directory.

Step 1: Complete Azure AD prerequisites

Before setting up Azure AD as a federation identity provider, you must set up an instance of Azure AD.

Step 2: Configure Azure AD as a federation provider

  1. In a browser, navigate to the Microsoft Azure portal dashboard.

  2. On the Azure Active Directory admin center page, navigate to Azure Active Directory > App registrations.

  3. Click + New registration.

  4. On the Register an application page, enter the application Name.

  5. Select one or more Supported account types that can use the application or access the API.

    federation register an application

  6. In the Redirect URI (optional) section, in the drop-down list, select Web.

  7. Enter the Redirect URI (from the Redirect URI field on the Identity Cloud azure page).

  8. Click Register.

    federation redirect uri register

  9. Click Add a certificate or secret.

  10. Add a new client secret.

  11. Copy or make note of your application client ID and client secret.

  12. Save your changes.

  13. On the Azure Active Directory admin center page, navigate to Azure Active Directory > App registrations.

  14. Click Endpoints at the top of the page.

  15. Make note of your OpenID Connect metadata document endpoint, ensuring it contains your Azure tenant ID. For example: https://login.microsoftonline.com/<azure-tenant-id>/v2.0/.well-known/openid-configuration.

Step 3: Use group membership to enable federation in Azure AD

Groups let you add and remove sets of administrators based on their group membership in your identify provider. You can also specify the administrator access (super administrators or tenant administrator) for an entire group of users.

Create groups containing Identity Cloud tenant administrators

Follow these steps to create a group in Azure AD that contains the Identity Cloud tenant administrators.

  1. On the Azure Active Directory admin center page, navigate to Azure Active Directory.

  2. In the left menu pane, under Manage, select Groups.

  3. On the top menu bar, select New group.

  4. In the New Group pane, enter values for:

    • Group type. The group type - specify Microsoft 365.

    • Group name. The name of the group.

    • Group description: A description of the group.

  5. Select Create.

  6. Add users to the group.

If you modify group membership in Azure, it can take a few minutes for those changes to take effect in Identity Cloud.

Include additional claims in the tokens for Identity Cloud

Complete the following steps to acquire claims from the application instead of the user info endpoint.

  1. On the Azure Active Directory admin center page, navigate to Azure Active Directory.

  2. In the left menu pane, under Manage, select App registrations.

  3. Choose your application.

  4. Under Manage, select Token configuration.

  5. Select Add optional claim.

  6. Select the token type you want to configure.

  7. Select the optional claims to add:

    • email: The email address for the user.

    • family_name: The last name, surname, or family name of the user.

    • given_name: The first or "given" name of the user.

    • groups: The groups the user belongs to.

  8. Select Add.

Copyright © 2010-2024 ForgeRock, all rights reserved.