Cloud Experts Documentation

Configure Azure AD as an OIDC identity provider for ARO with cli

This content is authored by Red Hat experts, but has not yet been tested on every supported configuration.

The steps to add Azure AD as an identity provider for Azure Red Hat OpenShift (ARO) via cli are:


Have Azure cli installed

Follow the Microsoft instuctions: link (opens in new tab)

Note This has been written for az cli verion 2.37.0 some commands will not work with previous versions, however, there is a known issue link (opens in new tab) where we will use an older version via podman run -it . In case you’re using docker, just replace podman command by docker . For podman installation on Mac, Windows & Linux, please refer to link (opens in new tab)

Login to Azure

Login to Azure as follows:

az login

If you’re logging in from a system you have no access to your browser you can authenticate, you can also use

az login --use-device-code


Define needed variables

To simplly follow along, first define the following variables according to your set-up:

RESOURCEGROUP=<cluster-dmoessne-aro01> # replave with your name
CLUSTERNAME=<rg-dmoessne-aro01>  # replave with your name

Get oauthCallbackURL

To get the oauthCallbackURL for the Azure AD integration, run the following commands:

DOMAIN=$(az aro show -g $RESOURCEGROUP -n $CLUSTERNAME --query clusterProfile.domain -o tsv)
APISERVER=$(az aro show -g $RESOURCEGROUP -n $CLUSTERNAME --query apiserverProfile.url -o tsv)

echo $oauthCallbackURL

Note oauthCallbackURL, in particular AAD can be changed but must match the name in the oauth providerwhen creating the OpenShift OpenID authentication

Create manifest.json file to configure the Azure Active Directory application

Configure OpenShift to use the email claim and fall back to upn to set the Preferred Username by adding the upn as part of the ID token returned by Azure Active Directory.

Create a manifest.json file to configure the Azure Active Directory application.

cat << EOF > manifest.json
 "idToken": [
    "name": "preferred_username",
    "source": null,
    "essential": false,
    "additionalProperties": []
    "name": "email",
    "source": null,
    "essential": false,
    "additionalProperties": []

Register/create app

Create an Azure AD application and retrieve app id:

DISPLAYNAME=<auth-dmoessne-aro01> # set you name accordingly

az ad app create \
--display-name $DISPLAYNAME \
--web-redirect-uris $oauthCallbackURL \
--sign-in-audience AzureADMyOrg \
--optional-claims @manifest.json
APPID=$(az ad app list --display-name $DISPLAYNAME --query '[].appId' -o tsv)

Add Service Principal for the new app

Create Service Principal for the app created:

az ad sp create --id $APPID

Make Service Principal an Enterprise Application

We need this Service Principal to be an Enterprise Application to be able to add users and groups, so we add the needed tag (az cli >= 2.38.0)

az ad sp update --id $APPID --set 'tags=["WindowsAzureActiveDirectoryIntegratedApp"]'

Note In case you get a trace back (az cli = 2.37.0) check out link (opens in new tab) To overcome that issue, we’ll do the following

# APP_ID=$(az ad app list --display-name $DISPLAYNAME --query [].id -o tsv)
# az rest --method PATCH --url$APP_ID --body '{"tags":["WindowsAzureActiveDirectoryIntegratedApp"]}'

Create the client secret

The password for the app created is retrieved by resetting the same:

PASSWD=$(az ad app credential reset --id $APPID --query password -o tsv)

Note The password generated with above command is by default valid for one year and you may want to change that by adding either and end date via --end-date or set validity in years with --years. For details consult the documentationexternal link (opens in new tab)

Update the Azure AD application scope permissions

To be able to read the user information from Azure Active Directory, we need to add the following Azure Active Directory Graph permissions

Add permission for the Azure Active Directory as follows:

  • read email
az ad app permission add \
--api 00000003-0000-0000-c000-000000000000 \
--api-permissions 64a6cdd6-aab1-4aaf-94b8-3cc8405e90d0=Scope \
--id $APPID
  • read profile
az ad app permission add \
--api 00000003-0000-0000-c000-000000000000 \
--api-permissions 14dad69e-099b-42c9-810b-d002981feec1=Scope \
--id $APPID
  • User.Read
az ad app permission add \
--api 00000003-0000-0000-c000-000000000000 \
--api-permissions e1fe6dd8-ba31-4d61-89e7-88639da4683d=Scope \
--id $APPID

Note If you see a message that you need to grant consent you can safely ignore it, unless you are authenticated as a alobal administrator for this Azure Active Directory. Standard domain users will be asked to grant consent when they first login to the cluster using their AAD credentials.

Get Tenant ID

We do need the Tenant ID for setting up the Oauth provider later on:

TENANTID=$(az account show --query tenantId -o tsv)

Note Now we can switch over to our OpenShift installation and apply the needed configuraion. Please refer to to get the latest oc cli


Login to OpenShift as kubeadmin

Fetch kubeadmin password and login to your cluster via oc cli (you can use any other cluster-admin user in case you have already created/added other oauth providers)

KUBEPW=$(az aro list-credentials \
--resource-group $RESOURCEGROUP \
--query kubeadminPassword --output tsv)

oc login $APISERVER -u kubeadmin -p $KUBEPW

Create an OpenShift secret###

Create an OpenShift secret to store the Azure Active Directory application secret from the application password we created/reset earlier:

oc create secret generic openid-client-secret-azuread \
-n openshift-config \

Apply OpenShift OpenID authentication

As a last step we need to apply the OpenShift OpenID authentication for Azure Active Directory:

cat << EOF | oc apply -f -
kind: OAuth
  name: cluster
  - name: AAD
    mappingMethod: claim
    type: OpenID
      clientID: $APPID
        name: openid-client-secret-azuread
      - email
      - profile
        include_granted_scopes: "true"
        - preferred_username
        - name
        - email

Wait for authentication operator to roll out

Before we move over to the OpenShift login, let’s wait for the new version of the authentication cluster operator to be rolled out

watch -n 5 oc get co authentication

Note it may take some time until the rollout starts

Verify login through Azure Active Directory

Get console url to login:

az aro show --name $CLUSTERNAME --resource-group $RESOURCEGROUP --query "consoleProfile.url" -o tsv

Opening the url in a browser, we can see the login to Azure AD is available


At first login you may have to accept application permissions


Last steps

As a last step you may want to grant a user or group cluster-admin permissions and remove kubeadmin user, see

Interested in contributing to these docs?

Collaboration drives progress. Help improve our documentation The Red Hat Way.

Red Hat logo LinkedIn YouTube Facebook Twitter



Try, buy & sell


About Red Hat

We’re the world’s leading provider of enterprise open source solutions—including Linux, cloud, container, and Kubernetes. We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.

Subscribe to our newsletter, Red Hat Shares

Sign up now
© 2023 Red Hat, Inc.