Azure AD as external identity provider

avpdiver1 · May 20, 2025, 2:08pm

Hello.

I have configured Azure AD as an external IDP. But Azure AD returns ID Token and Access Token with different iss claim. I don’t have access to Azure AD, can I somehow work around this problem on the Keycloak side? May by write custom Java extension or something…
In fact, I need only ID Token.
I am using Keycloak 26.

Thanks.

dasniko · May 20, 2025, 2:15pm

Do you have “Access token is JWT” enabled? Then Keycloak is trying to verify the AccessToken, which fails with MS, as MS uses different systems for ID and Access, like you already experienced.

Try disabling “Access token is JWT”, then Keycloak should ignore the AccessToken.

Topic		Replies	Views
Keycloak token for external idp(Azure) users Getting advice authentication , oidc	4	2259	April 29, 2024
Client Credentials grant with Keycloak as an identity broker for Azure AD Getting advice authentication , identity-brokering , oidc	0	699	August 2, 2021
AD Azure as IDP and keycloak as SP with SAML Getting advice authentication , saml	2	1084	April 29, 2024
Is it possible to use an KeyCloak AccessToken to get access to the Microsoft Graph? Getting advice oidc	11	12354	January 18, 2024
How does Keycloak get 'Identity Provider ID' or 'username' from Azure AD? Configuring the server	9	5505	July 25, 2024

Azure AD as external identity provider

Related topics