Integrating Keycloak with Microsoft Entra ID

Learn how to use Microsoft Entra ID as an authentication provider for Keycloak.

On This Page

Overview Before You Begin Step 1. Generate Keycloak Redirect URI Step 2. Configure Microsoft Entra ID A. Create a Custom App Registration B. Generate the Client Secret C. Configuring API Permissions for Microsoft Graph Step 3. Complete Keycloak Setup 4. Verify the Integration

Overview

Integrating Keycloak with Microsoft Entra ID allows DryvIQ Platform users to authenticate seamlessly using their Microsoft credentials. This process involves configuring Keycloak to recognize Microsoft Entra ID as an identity provider, registering the DryvIQ Platform as an app in Entra ID, and securely exchanging redirect URIs, client credentials, and permissions to complete the integration.

Before You Begin

Ensure you have:

  • Administrator access to Keycloak for the DryvIQ Platform realm.
  • Administrator access to Microsoft Entra ID.
  • The URL of your DryvIQ-hosted Keycloak environment (<https://<dryviq-hostname>>/auth)
  • Permissions to create app registrations in Entra ID.

Step 1. Generate Keycloak Redirect URI

You’ll begin in Keycloak to retrieve the Redirect URI required for the Microsoft Entra ID application registration. You will not complete the full Keycloak setup in this step, so be sure to follow the instructions.

  1. Log in to Keycloak (https://<dryviq-hostname>>/auth).
  2. Select the DryvIQ Platform realm.
  3. Click Identity Providers in the menu on the left.
  4. Select Microsoft as the provider.
  5. Keycloak automatically generates a Redirect URI. Copy this value, as you need it to configure the Microsoft Entra ID app registration.
  6. Leave the Add Microsoft Provider page open. You will return to it to complete the setup.

Step 2. Configure Microsoft Entra ID

Next, you will create a custom application registration in Microsoft Entra ID. This is where you set the redirect URI that Microsoft Entra ID needs to use. This process also generates the client ID and client secret that Keycloak needs to use for the integration.

A. Create a Custom App Registration

First, you need to register a custom application in Microsoft Entra ID.

  1. Open a new browser tab.
  2. Sign in to the Microsoft Entra admin center.
  3. Verify you are in the correct tenant.
  4. Select Entra ID and then App registration.
  5. Click New registration.
  6. Complete the following information on the Register an application page:
    1. Name: Enter the user-facing display name for the application.
    2. Supported account types: Select the Accounts in this organization directory only option.
    3. Redirect URI: Select Web and paste the Redirect URI you copied from Keycloak into the URI field.
  7. Click Register.
  8. On the Overview page, copy the Application (client) ID somewhere where you can access it later, as you need it to finish setting up Keycloak.

B. Generate the Client Secret

Next, you need to generate the client secret for the app registration. This is required to complete the Keycloak integration.

  1. Under Manage in the left menu, select Certificates & secrets, and then select New client secret.
  2. On the Add a client secret panel, enter a description for the new client secret and select an appropriate expiration date.
  3. Select Add to create the client secret.
  4. The new client secret will display under Value. Click the Copy icon next to this value to copy it to the clipboard. Paste this value into a text file or another document to ensure you have it for later. The client secret will be masked once you navigate away from this page. Ensure to copy it immediately after creating it. You will need this value to complete the Keycloak setup.

C. Configuring API Permissions for Microsoft Graph

The final step in the application registration is to set the required Graph API permissions.

  1. Under Mange in the left navigation panel, select API permissions, and then select Add a permission.
  2. Select Microsoft Graph on the Request API permissions panel.
  3. Select Delegated permissions.
  4. Add the following permissions for Microsoft Graph. (Use the available search bar to find permissions quickly.)

  5. Select Add permission at the bottom of the panel to save the selected permissions.

Step 3. Complete Keycloak Setup

Return to Keycloak to finish the configuration. You should still have the Add Microsoft Provider page open from step 1.

  1. Add Microsoft Provider page,
    1. Paste the Client ID from Entra ID into the Client ID field.
    2. Paste the Client Secret from Entra ID into the Client Secret field.
  2. Save the configuration.

4. Verify the Integration

  1. Go to the DryvIQ Platform login page.
  2. Select Sign in with Microsoft.
  3. Log in with your Microsoft credentials.
  4. Confirm you’re redirected back to DryvIQ and successfully authenticated.

 

Related Articles

Single Sign-On (SSO)