1.0 Introduction
This guide describes how to integrate Microsoft Entra ID using OpenID Connect (OIDC) with a Sensu server to enable user authentication.
2.0 Prerequisites
Before proceeding with the Azure OIDC configuration, ensure the following:
The Sensu user interface (UI) is accessible over Hypertext Transfer Protocol Secure (HTTPS).
The Sensu server has network connectivity to Microsoft Entra ID (Azure).
3.0 Integrate Microsoft Entra ID (OIDC) with Sensu
This section describes how to configure Microsoft Entra ID as an OpenID Connect (OIDC) identity provider for Sensu.
3.1 Create a Microsoft Entra ID Application
Perform the following steps to create a new Microsoft Entra ID application that Sensu UI will use for OIDC authentication:
Log in to the Azure Portal.
Navigate to Microsoft Entra ID using one of the following methods:
From the Azure Services section on the Azure portal home page.
From the left navigation panel.
In the Manage section, select App registration.
.png?sv=2026-02-06&spr=https&st=2026-07-15T07%3A21%3A10Z&se=2026-07-15T07%3A34%3A10Z&sr=c&sp=r&sig=xjAL204jrVfU00sMa3him6mZhsJ87c9%2Bu6nos0fo6pY%3D)
Figure 1: App registration option
Select New registration.
On the Register an application page, configure the following settings:
Name: Enter a display name for the application. (for example, fortanix_oauth)
.png?sv=2026-02-06&spr=https&st=2026-07-15T07%3A21%3A10Z&se=2026-07-15T07%3A34%3A10Z&sr=c&sp=r&sig=xjAL204jrVfU00sMa3him6mZhsJ87c9%2Bu6nos0fo6pY%3D)
Figure 2: Register an application screen
Supported account types: Select accounts only from this organizational directory (Single tenant only - <your organization name>).
Under Redirect URI (optional):
Platform: Select Web
Redirect URI: Enter
https://<sensu-backend-IP>:8080/api/enterprise/authentication/v2/oidc/callback
Select Register to create the application.
.png?sv=2026-02-06&spr=https&st=2026-07-15T07%3A21%3A10Z&se=2026-07-15T07%3A34%3A10Z&sr=c&sp=r&sig=xjAL204jrVfU00sMa3him6mZhsJ87c9%2Bu6nos0fo6pY%3D)
Figure 3: Created application
3.2 Configuring OIDC on the Sensu Server
Perform the following steps to configure Microsoft Entra ID as the OIDC provider for Sensu.
Create an
oidc.ymlconfiguration file.vi oidc.ymlAdd the following configuration to the
oidc.ymlfile:#Contents of oidc.yaml type: oidc api_version: authentication/v2 metadata: # This name appears on the Sensu login page as "Sign in with <name>" name: Azure spec: # OAuth2 scopes to request from Azure # NOTE: Do NOT add 'groups' here — Azure does not support it as a scope # Groups are returned as a claim inside the token automatically additional_scopes: - email # to receive email in the token - offline_access # required for refresh token support client_id: "<client-id>" # Get client-id from the app created in section 3.1 client_secret: "<client-secret>" #Get client-secret the app created in section 3.1 # Must exactly match the Redirect URI set in Azure App Registration redirect_uri: "https://<sensu-backend-IP>:8080/api/enterprise/authentication/v2/oidc/callback" # Azure OIDC endpoint — use /v2.0 suffix (required for Microsoft Identity Platform) # Replace <tenant-id> with your Directory (tenant) ID from Azure server: "https://login.microsoftonline.com/<tenant-id>/v2.0" #Get tenant-id the app created in section 3.1 disable_offline_access: false # User identity based on email only — no group claims needed username_claim: email username_prefix: "oidc:"Run the following command to create the OIDC authentication resource:
# Apply the OIDC config sensuctl create --file oidc.ymlRun the following command to verify that the OIDC authentication provider has been created.
sensuctl auth list.png?sv=2026-02-06&spr=https&st=2026-07-15T07%3A21%3A10Z&se=2026-07-15T07%3A34%3A10Z&sr=c&sp=r&sig=xjAL204jrVfU00sMa3him6mZhsJ87c9%2Bu6nos0fo6pY%3D)
Figure 4: Authentication list
Confirm that Azure appears in the list of configured authentication providers.
3.3 Configure User Access and Permissions
Create cluster role bindings to grant administrative or read-only access to Sensu users authenticated through Microsoft Entra ID.
Run the following command to create a cluster role binding for each administrator:
NOTE
The binding name must be unique. Replace
<user-email>with the user's email address in Microsoft Entra ID.# One command per admin user sensuctl cluster-role-binding create admin-user1 \ --cluster-role=cluster-admin \ --user=oidc:user1@abc.com sensuctl cluster-role-binding create admin-user2 \ --cluster-role=cluster-admin \ --user=oidc:<user2@example.com>Run the following command to create a cluster role binding for each read-only user:
NOTE
Replace
<user-email>with the user's email address in Microsoft Entra ID.The built-in
viewcluster role provides read-only access to Sensu resources.
sensuctl role create readonly-role --namespace default --resource=checks,entities,events,namespaces --verb=get,list # One command per view-only user sensuctl cluster-role-binding create view-user3 \ --cluster-role=view \ --user=oidc:user3@abc.com sensuctl cluster-role-binding create view-user4 \ --cluster-role=view \ --user=oidc:user4@abc.com
3.4 Test the Integration
Open the Sensu UI.
On the login page, select SIGN-IN WITH AZURE.
.png?sv=2026-02-06&spr=https&st=2026-07-15T07%3A21%3A10Z&se=2026-07-15T07%3A34%3A10Z&sr=c&sp=r&sig=xjAL204jrVfU00sMa3him6mZhsJ87c9%2Bu6nos0fo6pY%3D)
Figure 5: Sign in with Azure
Sign in using your Microsoft Entra ID credentials.
Result:
The user is authenticated through Microsoft Entra ID and redirected to the Sensu UI.
Users assigned the cluster-admin role have full administrative access to manage Sensu resources.
.png?sv=2026-02-06&spr=https&st=2026-07-15T07%3A21%3A10Z&se=2026-07-15T07%3A34%3A10Z&sr=c&sp=r&sig=xjAL204jrVfU00sMa3him6mZhsJ87c9%2Bu6nos0fo6pY%3D)
Figure 6: Admin role - Configure New Check
.png?sv=2026-02-06&spr=https&st=2026-07-15T07%3A21%3A10Z&se=2026-07-15T07%3A34%3A10Z&sr=c&sp=r&sig=xjAL204jrVfU00sMa3him6mZhsJ87c9%2Bu6nos0fo6pY%3D)
Figure 7: Admin role - Configure New Asset
Users assigned the view role have read-only access and can view resources but cannot create, modify, or delete Sensu configurations.
.png?sv=2026-02-06&spr=https&st=2026-07-15T07%3A21%3A10Z&se=2026-07-15T07%3A34%3A10Z&sr=c&sp=r&sig=xjAL204jrVfU00sMa3him6mZhsJ87c9%2Bu6nos0fo6pY%3D)
Figure 8: View role - Checks list
.png?sv=2026-02-06&spr=https&st=2026-07-15T07%3A21%3A10Z&se=2026-07-15T07%3A34%3A10Z&sr=c&sp=r&sig=xjAL204jrVfU00sMa3him6mZhsJ87c9%2Bu6nos0fo6pY%3D)
Figure 9: View role - Assets list