OIDC Provider Setup - Auth Methods - Azure Active Directory

The Vault website is being redesigned to help you find what you are looking for more effectively.Join the Beta

»Azure Active Directory (AAD)

Note: Azure Active Directory Applications that have custom signing keys as a result of using the claims-mapping feature are currently not supported for OIDC authentication.

Reference: Azure Active Directory v2.0 and the OpenID Connect protocol

Choose your Azure tenant.
Go to Azure Active Directory and register an application for Vault.
Add Redirect URIs with the "Web" type. You may include two redirect URIs, one for CLI access another one for Vault UI access.

http://localhost:8250/oidc/callback
https://hostname:port_number/ui/vault/auth/oidc/oidc/callback

Record the "Application (client) ID" as you will need it as the oidc_client_id.
Under Endpoints, copy the OpenID Connect metadata document URL, omitting the /well-known... portion.

The endpoint URL (oidc_discovery_url) will look like: https://login.microsoftonline.com/tenant-guid-dead-beef-aaaa-aaaa/v2.0

Under Certificates & secrets, add a client secret Record the secret's value as you will need it as the oidc_client_secret for Vault.

»Connect AD group with Vault external group

Reference: Azure Active Directory with OIDC Auth Method and External Groups

To connect the AD group with a Vault external groups, you will need Azure AD v2.0 endpoints. You should set up a Vault policy for the Azure AD group to use.

Go to Azure Active Directory and choose your Vault application.
Go to Token configuration and Add groups claim. Select "All" or "SecurityGroup" based on which groups for a user you want returned in the claim.
In Vault, enable the OIDC auth method.

Configure the OIDC auth method with the oidc_client_id (application ID), oidc_client_secret (client secret), and oidc_discovery_url (endpoint URL) you recorded from Azure.

vault write auth/oidc/config \
   oidc_client_id="your_client_id" \
   oidc_client_secret="your_client_secret" \
   default_role="your_default_role" \
   oidc_discovery_url="https://login.microsoftonline.com/tenant_id/v2.0"

vault write auth/oidc/config \
   oidc_client_id="your_client_id" \
   oidc_client_secret="your_client_secret" \
   default_role="your_default_role" \
   oidc_discovery_url="https://login.microsoftonline.com/tenant_id/v2.0"

Configure the OIDC Role with the following:

user_claim should be "sub" or "oid" following the recommendation from Azure.
allowed_redirect_uris should be the two redirect URIs for Vault CLI and UI access.
groups_claim should be set to "groups".

oidc_scopes should be set to "https://graph.microsoft.com/.default".

vault write auth/oidc/role/your_default_role \
   user_claim="sub" \
   allowed_redirect_uris="http://localhost:8250/oidc/callback,https://online_version_hostname:port_number/ui/vault/auth/oidc/oidc/callback"  \
   groups_claim="groups" \
   oidc_scopes="https://graph.microsoft.com/.default" \
   policies=default

vault write auth/oidc/role/your_default_role \
   user_claim="sub" \
   allowed_redirect_uris="http://localhost:8250/oidc/callback,https://online_version_hostname:port_number/ui/vault/auth/oidc/oidc/callback"  \
   groups_claim="groups" \
   oidc_scopes="https://graph.microsoft.com/.default" \
   policies=default

In Vault, create the external group. Record the group ID as you will need it for the group alias.
From Vault, retrieve the OIDC accessor ID from the OIDC auth method as you will need it for the group alias's mount_accessor.
Go to the Azure AD Group you want to attach to Vault's external group. Record the objectId as you will need it as the group alias name in Vault.

In Vault, create a group alias for the external group and set the objectId as the group alias name.

vault write identity/group-alias \
   name="your_ad_group_object_id" \
   mount_accessor="vault_oidc_accessor_id" \
   canonical_id="vault_external_group_id"

vault write identity/group-alias \
   name="your_ad_group_object_id" \
   mount_accessor="vault_oidc_accessor_id" \
   canonical_id="vault_external_group_id"

»Optional Azure-specific Configuration

If a user is a member of more than 200 groups (directly or indirectly), extra configuration is required so that Vault can fetch the groups properly.

In Azure, under the applications API Permissions, grant the following permissions:
- Microsoft Graph API permission Directory.Read.All

In Vault, set "provider_config" to Azure.

vault write auth/oidc/config -<<"EOH"
{
   "oidc_client_id": "your_client_id",
   "oidc_client_secret": "your_client_secret",
   "default_role": "your_default_role",
   "oidc_discovery_url": "https://login.microsoftonline.com/tenant_id/v2.0",
   "provider_config": {
      "provider": "azure"
   }
}
EOH

vault write auth/oidc/config -<<"EOH"
{
   "oidc_client_id": "your_client_id",
   "oidc_client_secret": "your_client_secret",
   "default_role": "your_default_role",
   "oidc_discovery_url": "https://login.microsoftonline.com/tenant_id/v2.0",
   "provider_config": {
      "provider": "azure"
   }
}
EOH

In Vault, add "profile" to oidc_scopes so the user's id comes back on the JWT.

vault write auth/oidc/role/your_default_role \
 user_claim="email" \
 allowed_redirect_uris="http://localhost:8250/oidc/callback,https://online_version_hostname:port_number/ui/vault/auth/oidc/oidc/callback"  \
 groups_claim="groups" \
 oidc_scopes="profile" \
 policies="default"

vault write auth/oidc/role/your_default_role \
 user_claim="email" \
 allowed_redirect_uris="http://localhost:8250/oidc/callback,https://online_version_hostname:port_number/ui/vault/auth/oidc/oidc/callback"  \
 groups_claim="groups" \
 oidc_scopes="profile" \
 policies="default"