Microsoft Entra ID (Azure AD) Identity Provider

This guide covers configuring Microsoft Entra ID (formerly Azure Active Directory) as an OpenID Connect (OIDC) identity provider for MinIO AIStor. For general OIDC configuration, see OpenID Connect Identity Management.

• An active Azure subscription with access to the Azure Portal.
• A MinIO AIStor deployment with network connectivity to Microsoft identity endpoints.
• The mc CLI installed and configured with an alias for your MinIO AIStor deployment.

MinIO AIStor uses the Microsoft Graph API to query group memberships for authenticated users. The following Application permissions are required (not Delegated):

These permissions require admin consent and enable MinIO AIStor to:

• Query the /users/{user-id}/memberGroups endpoint
• Map Azure AD security groups and Microsoft 365 groups to MinIO AIStor policies

1. In the Azure Portal, navigate to Microsoft Entra ID > App registrations > New registration.
2. Enter a name (for example, minio-oidc).
3. Set Supported account types as appropriate for your organization.
4. Set Redirect URI platform to Web and enter your MinIO AIStor Console URL:

   https://minio.example.com/oauth_callback
   

5. Select Register.

After registration:

1. Note the Application (client) ID and Directory (tenant) ID.
2. Navigate to Certificates & secrets > New client secret. Copy the generated secret value for MINIO_IDENTITY_OPENID_CLIENT_SECRET.
3. Navigate to API permissions > Add a permission > Microsoft Graph > Application permissions. Add User.Read.All and Group.Read.All.
4. Select Grant admin consent for your organization.

The OpenID discovery document URL is:

https://login.microsoftonline.com/<tenant-id>/v2.0/.well-known/openid-configuration

Add the Azure AD provider using mc:

mc idp openid add ALIAS azure \
  config_url="https://login.microsoftonline.com/<tenant-id>/v2.0/.well-known/openid-configuration" \
  client_id="<client-id>" \
  client_secret="<client-secret>" \
  scopes="openid,email,profile" \
  redirect_uri="https://minio.example.com/oauth_callback" \
  display_name="Azure AD" \
  claim_name="azure_groups" \
  vendor="azure" \
  azure_tenant_id="<tenant-id>"

Or using environment variables:

export MINIO_IDENTITY_OPENID_CONFIG_URL="https://login.microsoftonline.com/<tenant-id>/v2.0/.well-known/openid-configuration"
export MINIO_IDENTITY_OPENID_CLIENT_ID="<client-id>"
export MINIO_IDENTITY_OPENID_CLIENT_SECRET="<client-secret>"
export MINIO_IDENTITY_OPENID_SCOPES="openid,email,profile"
export MINIO_IDENTITY_OPENID_REDIRECT_URI="https://minio.example.com/oauth_callback"
export MINIO_IDENTITY_OPENID_DISPLAY_NAME="Azure AD"
export MINIO_IDENTITY_OPENID_CLAIM_NAME="azure_groups"
export MINIO_IDENTITY_OPENID_VENDOR="azure"
export MINIO_IDENTITY_OPENID_AZURE_TENANT_ID="<tenant-id>"

Restart MinIO AIStor to apply the configuration:

mc admin service restart ALIAS

1. A user authenticates via Azure AD OIDC and MinIO AIStor receives an access token.
2. MinIO AIStor calls the userinfo endpoint to get the user’s object ID (oid claim).
3. MinIO AIStor authenticates to the Microsoft Graph API using the configured tenant ID, client ID, and client secret.
4. MinIO AIStor queries the Graph API to retrieve all security groups the user belongs to.
5. These groups are added to the azure_groups claim for policy mapping.

To keep group memberships current, add offline_access to the scopes configuration:

mc idp openid update ALIAS azure scopes="openid,email,profile,offline_access"

This enables MinIO AIStor to periodically refresh group information from Azure AD (approximately once per hour).

1. Open the MinIO AIStor Console in a browser.
2. Select Login with SSO.
3. Enter your Azure AD credentials on the Microsoft login page.
4. After successful authentication, you are redirected to the MinIO AIStor Console with access based on your Azure AD group policies.