---
title: "Azure Configuration For Microsoft Entra ID as OpenID Connect Identity Provider"
slug: "fortanix-key-insight-azure-configuration-for-microsoft-entra-id-as-open-id-connect-identity-provider"
updated: 2026-03-23T06:25:05Z
published: 2026-03-23T06:38:28Z
---

> ## Documentation Index
> Fetch the complete documentation index at: https://support.fortanix.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Azure Configuration For Microsoft Entra ID as OpenID Connect Identity Provider

## 1.0 Introduction

The purpose of this article is to outline the necessary steps for configuring the connection between Fortanix Key Insight **Azure** and **Microsoft Entra ID**as an OpenID Connect (OIDC) identity provider (IdP) using the **Authorization Code Flow.**

Federated authentication in Azure refers to the process of enabling users to access Azure resources using their existing credentials from an external identity provider (IdP), such as PingOne, Microsoft Entra ID, and so on.

Configuring Microsoft Entra ID as an OpenID Connect IdP in Azure involves the following steps:

1. Register a client application with Microsoft Entra ID.
2. Configure the redirect Uniform Resource Locator (URL) on the client application.
3. Gather the Client ID, a unique identifier for your registered application.
4. Gather the OpenID configuration document (well-known) URI specific to your IdP tenant or account.
5. Provide permissions to your Azure application to scan resources.

## 2.0 Register a Client Application with Microsoft Entra ID

Perform the following steps to register a client application with Microsoft Entra ID:

1. Set up an OIDC web application in Microsoft Entra ID.

*For more information, refer to the*[*Microsoft official documentation*](https://learn.microsoft.com/en-us/entra/identity-platform/quickstart-register-app?tabs=certificate)*.*
  1. Navigate to the [Azure portal](https://portal.azure.com/) and search for **Microsoft Entra ID.**
  2. Select **App registrations** under **Manage** in the left navigation panel on the **Microsoft Entra ID** page.

> [!NOTE]
> NOTE
> 
> You can also directly search for App registrations in the Microsoft Azure search bar.
  3. Click **New registration**.
  4. On the **Register an application** page:

![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/Create an App(1).png)

**Figure 1: Register the new application**
    1. **Name**: Enter a user-facing display name for this application. For example, **key-insight-app**.
    2. **Supported account type**: Select **Accounts in any organizational directory (Any Microsoft Entra ID tenant - Multitenant)**.
    3. **Redirect URI** (optional): Enter a redirect URL.
    4. Click**Register** to register an application.
2. Configure the platform settings:

![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/Image 1(2).png)

**Figure 2: Platform configurations**

> [!NOTE]
> NOTE
> 
> Do not create client secrets or configure certificates during your application registration.
  1. In the Microsoft Entra ID, navigate to **App registrations** and select your application.
  2. In your application, select **Manage → Authentication.**
  3. On the **Authentication** page, under **Platform configurations,** click **Add a platform.**
  4. Select**Single-page application** in the **Configure platforms** panel.
  5. In the **Configure single-page application**panel:
    1. **Redirect URIs:**Enter the application’s redirect URI (`https://armor.fortanix.com/system/discovery/{region}/oauth/callback`).

Here, replace `{region}` with the appropriate region. For example, `eu` or `na`.
    2. Click **Configure** to add the single-page application.
  6. After adding the single-page application, under **Platform configurations**, enable **ID tokens (used for implicit and hybrid flows)** check box in the **Implicit grant and hybrid flows** section.
  7. In the **Advanced settings** section, set **Enable the following mobile and desktop flows:** toggle button to **Yes**.
  8. Click**Save**to apply the changes.
3. Configure API permissions for OIDC:
  1. In the Microsoft Entra ID, in **App registrations**, select your application.
  2. In your application, select **Manage → API permissions.**
  3. Under the **Configured permissions** section, click **Add a permission**.
  4. On the **Request API permissions** page, select **Microsoft Graph**.
  5. Select **Delegated permissions.**
  6. Under **OpenId permissions**, select the following permissions:
    - email
    - offline_access
    - openid
    - profile
  7. Click **Add permissions** to apply the selected permissions to your app registration.

## 3.0 Configure the Redirect URL on the Client Application

The redirect URL is the address to which Microsoft Entra ID forwards the OIDC response after authentication.

The following is the redirect URL for Azure Microsoft Entra ID IdP:

```bash
https://armor.fortanix.com/system/discovery/{region}/oauth/callback
```

Here, replace `{region}` with the appropriate region. For example, `eu` or `na`.

*For more information, refer to the*[*Microsoft official documentation*](https://learn.microsoft.com/en-us/entra/identity-platform/quickstart-register-app?tabs=certificate#add-a-redirect-uri)*.*

## 4.0 Gather the Client ID

A client ID is a unique identifier for the registered client application. It allows you to validate the security tokens you receive from the IdP.

To retrieve the client ID,

1. In the Microsoft Entra ID, in **App registrations**, select your application.
2. In your application, select **Overview** page.
3. Copy the `Application(client)ID` from **Overview** page.

*For more information, refer to the*[*Microsoft official documentation*](https://learn.microsoft.com/en-us/entra/identity-platform/quickstart-register-app?tabs=client-secret#register-an-application).

> [!NOTE]
> NOTE
> 
> Ensure to copy and save the **Directory (tenant) ID** and **Application (client) ID** values. These values are required during the Azure cloud connection setup on the Fortanix Key Insight.

## 5.0 Gather the OpenID Configuration Document (Well-Known) URL

An OpenID Connect (OIDC) provider provides a standard well-known URL that your client application can use to discover information about the provider's configuration dynamically.

This URL is specific to your IdP tenant or account.

To retrieve this value, copy `OpenID Connect metadata document` value from the **Endpoints**section of the registered application.

![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/DocumentURI.png)

**Figure 3: Obtain well-known URL**

> [!NOTE]
> NOTE
> 
> - In the URL, replace `organizations` with your `AZURE_TENANT_ID` to point to your specific tenant. For example, `https://login.microsoftonline.com/&lt;AZURE_TENANT_ID&gt;/v2.0/.well-known/openid-configuration`.
> - Ensure to record the well-known URL value as it is necessary for the identity provider configuration when setting up the Azure cloud connection in the Fortanix Key Insight user interface (UI).

## 6.0 Provide Permissions to your Azure Application to Scan Resources

Applications are authorized to call APIs when they are granted permissions by users or administrators (admins) as part of the consent process.

Ensure you have added the following permissions to your application to scan Azure resources on Fortanix Key Insight:

![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/KI_Azure Fed Auth Permissions(5).png)

**Figure 4: Configure permissions**

> [!NOTE]
> NOTE
> 
> The **user_impersonation** permissions may require user or admin consent based on the tenant's application consent policies. If admin consent is necessary, obtain admin consent for these permissions following your organization's security or IT policy before configuring federated authentication in Fortanix Key Insight.

*For more information, refer to the*[*Microsoft official documentation*](https://learn.microsoft.com/en-us/entra/identity-platform/permissions-consent-overview)*.*

Fortanix Key Insight identifies encryption keys and data services across on-premises and hybrid multicloud environments, providing a unified dashboard for tracking key mappings and cryptographic security. It offers security and compliance teams data-driven insights to assess risks, align with best practices, and meet industry regulations. Iy also supports continuous risk mitigation and crypto-agility, adapting to evolving security needs, including preparation for the post-quantum era.