Documentation Index

Fetch the complete documentation index at: https://support.fortanix.com/llms.txt

Use this file to discover all available pages before exploring further.

Microsoft Entra ID OIDC Integration with Sensu Server

Prev Next

1.0 Introduction

This guide describes how to integrate Microsoft Entra ID using OpenID Connect (OIDC) with a Sensu server to enable user authentication.

2.0 Prerequisites

Before proceeding with the Azure OIDC configuration, ensure the following:

  • The Sensu user interface (UI) is accessible over Hypertext Transfer Protocol Secure (HTTPS).

  • The Sensu server has network connectivity to Microsoft Entra ID (Azure).

3.0 Integrate Microsoft Entra ID (OIDC) with Sensu

This section describes how to configure Microsoft Entra ID as an OpenID Connect (OIDC) identity provider for Sensu.

3.1 Create a Microsoft Entra ID Application

Perform the following steps to create a new Microsoft Entra ID application that Sensu UI will use for OIDC authentication:

  1. Log in to the Azure Portal.

  2. Navigate to Microsoft Entra ID using one of the following methods:

    1. From the Azure Services section on the Azure portal home page.

    2. From the left navigation panel.

  3. In the Manage section, select App registration.

    Figure 1: App registration option

  4. Select New registration.

  5. On the Register an application page, configure the following settings:

    1. Name: Enter a display name for the application. (for example, fortanix_oauth)

      Figure 2: Register an application screen

    2. Supported account types: Select accounts only from this organizational directory (Single tenant only - <your organization name>).

    3. Under Redirect URI (optional):

      1. Platform: Select Web

      2. Redirect URI: Enter https://<sensu-backend-IP>:8080/api/enterprise/authentication/v2/oidc/callback

  6. Select Register to create the application.

    Figure 3: Created application

3.2 Configuring OIDC on the Sensu Server

Perform the following steps to configure Microsoft Entra ID as the OIDC provider for Sensu.

  1. Create an oidc.yml configuration file.

    vi oidc.yml
  2. Add the following configuration to the oidc.yml file:

    #Contents of oidc.yaml
    type: oidc
    api_version: authentication/v2
    metadata:
      # This name appears on the Sensu login page as "Sign in with <name>"
      name: Azure
    
    spec:
      # OAuth2 scopes to request from Azure
      # NOTE: Do NOT add 'groups' here — Azure does not support it as a scope
      # Groups are returned as a claim inside the token automatically
      additional_scopes:
        - email           # to receive email in the token
        - offline_access  # required for refresh token support
    
      client_id: "<client-id>" # Get client-id from the app created in section 3.1
      client_secret: "<client-secret>" #Get client-secret the app created in section 3.1
    
      # Must exactly match the Redirect URI set in Azure App Registration
      redirect_uri: "https://<sensu-backend-IP>:8080/api/enterprise/authentication/v2/oidc/callback"
    
      # Azure OIDC endpoint — use /v2.0 suffix (required for Microsoft Identity Platform)
      # Replace <tenant-id> with your Directory (tenant) ID from Azure
      server: "https://login.microsoftonline.com/<tenant-id>/v2.0" #Get tenant-id the app created in section 3.1
    
      disable_offline_access: false
      # User identity based on email only — no group claims needed
      username_claim: email
      username_prefix: "oidc:"
    
  3. Run the following command to create the OIDC authentication resource:

    # Apply the OIDC config
    sensuctl create --file oidc.yml
    
  4. Run the following command to verify that the OIDC authentication provider has been created.

    sensuctl auth list

    Figure 4: Authentication list

    Confirm that Azure appears in the list of configured authentication providers.

3.3 Configure User Access and Permissions

Create cluster role bindings to grant administrative or read-only access to Sensu users authenticated through Microsoft Entra ID.

  1. Run the following command to create a cluster role binding for each administrator:

    NOTE

    The binding name must be unique. Replace <user-email> with the user's email address in Microsoft Entra ID.

    # One command per admin user
    sensuctl cluster-role-binding create admin-user1 \
      --cluster-role=cluster-admin \
      --user=oidc:user1@abc.com
    sensuctl cluster-role-binding create admin-user2 \
      --cluster-role=cluster-admin \ 
      --user=oidc:<user2@example.com>
    
  2. Run the following command to create a cluster role binding for each read-only user:

    NOTE

    • Replace <user-email> with the user's email address in Microsoft Entra ID.

    • The built-in view cluster role provides read-only access to Sensu resources.

    sensuctl role create readonly-role --namespace default --resource=checks,entities,events,namespaces --verb=get,list
    # One command per view-only user
    sensuctl cluster-role-binding create view-user3 \
      --cluster-role=view \
      --user=oidc:user3@abc.com
    sensuctl cluster-role-binding create view-user4 \
      --cluster-role=view \
      --user=oidc:user4@abc.com
    

3.4 Test the Integration

  1. Open the Sensu UI.

  2. On the login page, select SIGN-IN WITH AZURE.

    Figure 5: Sign in with Azure

  3. Sign in using your Microsoft Entra ID credentials.

Result:

The user is authenticated through Microsoft Entra ID and redirected to the Sensu UI.

  • Users assigned the cluster-admin role have full administrative access to manage Sensu resources.

    Figure 6: Admin role - Configure New Check

    Figure 7: Admin role - Configure New Asset

  • Users assigned the view role have read-only access and can view resources but cannot create, modify, or delete Sensu configurations.

    Figure 8: View role - Checks list

    Figure 9: View role - Assets list

Fortanix-logo

4.6

star-ratings

As of August 2025