Home GitHub

IMPORTANT NOTE: This site is not official Red Hat documentation and is provided for informational purposes only. These guides may be experimental, proof of concept, or early adoption. Officially supported documentation is available at docs.openshift.com and access.redhat.com.

Configure Azure AD as an OIDC identity provider for ARO with cli

Daniel Moessner

26 June 2022

The steps to add Azure AD as an identity provider for Azure Red Hat OpenShift (ARO) via cli are:


Have Azure cli installed

Follow the Microsoft instuctions: https://docs.microsoft.com/en-us/cli/azure/install-azure-cli

Note This has been written for az cli verion 2.37.0 some commands will not work with previous versions, however, there is a known issue https://github.com/Azure/azure-cli/issues/23027 where we will use an older version via podman run -it mcr.microsoft.com/azure-cli:2.36.0 . In case you’re using docker, just replace podman command by docker . For podman installation on Mac, Windows & Linux, please refer to https://podman.io/getting-started/installation

Login to Azure

Login to Azure as follows:

   az login

If you’re logging in from a system you have no access to your browser you can authenticate, you can also use

   az login --use-device-code


Define needed variables

To simplly follow along, first define the following variables according to your set-up:

   RESOURCEGROUP=<cluster-dmoessne-aro01> # replave with your name
   CLUSTERNAME=<rg-dmoessne-aro01>  # replave with your name

Get oauthCallbackURL

To get the oauthCallbackURL for the Azure AD integration, run the following commands:

   DOMAIN=$(az aro show -g $RESOURCEGROUP -n $CLUSTERNAME --query clusterProfile.domain -o tsv)
   APISERVER=$(az aro show -g $RESOURCEGROUP -n $CLUSTERNAME --query apiserverProfile.url -o tsv)

   echo $oauthCallbackURL

Note oauthCallbackURL, in particular AAD can be changed but must match the name in the oauth providerwhen creating the OpenShift OpenID authentication

Create manifest.json file to configure the Azure Active Directory application

Configure OpenShift to use the email claim and fall back to upn to set the Preferred Username by adding the upn as part of the ID token returned by Azure Active Directory.

Create a manifest.json file to configure the Azure Active Directory application.

   cat << EOF > manifest.json
    "idToken": [
       "name": "upn",
       "source": null,
       "essential": false,
       "additionalProperties": []
       "name": "email",
       "source": null,
       "essential": false,
       "additionalProperties": []

Register/create app

Create an Azure AD application and retrieve app id:

   DISPLAYNAME=<auth-dmoessne-aro01> # set you name accordingly 

   az ad app create \
   --display-name $DISPLAYNAME \
   --web-redirect-uris $oauthCallbackURL \
   --sign-in-audience AzureADMyOrg \
   --optional-claims @manifest.json
   APPID=$(az ad app list --display-name $DISPLAYNAME --query [].appId -o tsv)

Add Servive Principal for the new app

Create Pervice Principal for the app created:

   az ad sp create --id $APPID

Make Service Principal an Enterprise Application

We need this Service Principal to be an Enterprise Application to be able to add users and groups, so we add the needed tag (az cli >= 2.38.0)

   az ad sp update --id $APPID --set 'tags=["WindowsAzureActiveDirectoryIntegratedApp"]'

Note In case you get a trace back (az cli = 2.37.0) check out https://github.com/Azure/azure-cli/issues/23027 To overcome that issue, we’ll do the following

# APP_ID=$(az ad app list --display-name $DISPLAYNAME --query [].id -o tsv)
# az rest --method PATCH --url https://graph.microsoft.com/v1.0/applications/$APP_ID --body '{"tags":["WindowsAzureActiveDirectoryIntegratedApp"]}'

Create the client secret

The password for the app created is retrieved by resetting the same:

   PASSWD=$(az ad app credential reset --id $APPID --query password -o tsv)

Note The password generated with above command is by default valid for one year and you may want to change that by adding either and end date via --end-date or set validity in years with --years. For details consult the documentation

Update the Azure AD application scope permissions

To be able to read the user information from Azure Active Directory, we need to add the following Azure Active Directory Graph permissions

Add permission for the Azure Active Directory as follows:

Get Tenant ID

We do need the Tenant ID for setting up the Oauth provider later on:

   TENANTID=$(az account show --query tenantId -o tsv)

Note Now we can switch over to our OpenShift installation and apply the needed configuraion. Please refer to https://docs.openshift.com/container-platform/latest/cli_reference/openshift_cli/getting-started-cli.html to get the latest oc cli


Login to OpenShift as kubeadmin

Fetch kubeadmin password and login to your cluster via oc cli (you can use any other cluster-admin user in case you have already created/added other oauth providers)

   KUBEPW=$(az aro list-credentials \
   --name $CLUSTERNAME \
   --resource-group $RESOURCEGROUP \
   --query kubeadminPassword --output tsv)

   oc login $APISERVER -u kubeadmin -p $KUBEPW

Create an OpenShift secret###

Create an OpenShift secret to store the Azure Active Directory application secret from the application password we created/reset earlier:

   oc create secret generic openid-client-secret-azuread \
   -n openshift-config \

Apply OpenShift OpenID authentication

As a last step we need to apply the OpenShift OpenID authentication for Azure Active Directory:

   cat << EOF | oc apply -f -
   apiVersion: config.openshift.io/v1
   kind: OAuth
     name: cluster
     - name: AAD
       mappingMethod: claim
       type: OpenID
         clientID: $APPID
           name: openid-client-secret-azuread
         - email
         - profile
           include_granted_scopes: "true"
           - email
           - upn
           - name
           - email
         issuer: https://login.microsoftonline.com/$TENANTID

Wait for authentication operator to roll out

Before we move over to the OpenShift login, let’s wait for the new version of the authentication cluster operator to be rolled out

   watch -n 5 oc get co authentication

Note it may take some time until the rollout starts

Verify login through Azure Active Directory

Get console url to login:

   az aro show --name $CLUSTERNAME --resource-group $RESOURCEGROUP --query "consoleProfile.url" -o tsv

Opening the url in a browser, we can see the login to Azure AD is available


At first login you may have to accept application permissions


Last steps

As a last step you may want to grant a user or group cluster-admin permissions and remove kubeadmin user, see