Provide documentation on configuring an Azure AD OIDC application to work with Dex

[marians]

A customer was looking for support to set up an Azure AD app for Dex. See Slack.

If we provide this info, the next question will be: which other (OIDC) identity providers should we offer this information for? In use are

• Github
• Keycloak
• Okta
• add more

[marians]

Here is an Azure AD example application we have configured.

We find this app in https://portal.azure.com/ via Home > App Registrations > All applications

Overview

Authentication

The only thing to adjust here is the redirect URIs.

Certificates & secrets

There has to be at least one client secret configured.

Token configuration

To make sure that ID tokens contain the user's group memberships, the groups claim has to be configured. There is a dedicated "Add groups claim" button for this.

It is up to you to decide which options to select from "Select group types to include in Access, ID, and SAML tokens.", however it's likely that you want to include "Security groups".

API permisions

Also you have to have the Directory.Read.All permission. Click Add a permission > Microsoft Graph > Delegated permissions and enter Directory.Read.All into the filter input field. Select the only item found and add.

Then you should click the "Grant admin consent for ..." link.

This is how your permissions table should look like, roughly:

Open question

• Is the offline_access permission required? If yes, how is it added?

[anvddriesch]

Note: dex-operator supports azure now.
We can also add configuration to it to manage azure ad oidc applications for dex automatically.

[mogottsch]

As we plan to make customers use dex-operator instead of configuring dex connectors themselves, we should probably provide documentation for customers on how to configure Azure AD in dex-operator.

[mogottsch]

We decided not to add documentation on how to configure Azure AD for dex, as dex-operator will automate most of these steps.