How to integrate to office 365


I want to integrate the office 365 using keycloak as an idp. Please can you provide the detailed steps to integrate the office 365. Help is greatly appreciated.

Ameer Basha

Did you found a solution?

Also interested in this … I assume you are referring to both provisioning users from keycloak to Azure AD and also federating them ?

I’ve seen it work on Auth0 and GSuite by converting the office365 domain into a SSO domain and setting up provisioning and federation in the Auth0 / GSuite IDP but haven’t seen it in keycloak yet.

Would be great if someone from the keycloak team could give an update on this

The idea being that we use keycloak as an IDP, setup trust using SAML to allow the provisioned / federated user to be present in AzureAD as well, so we can have the signup / login experience in keycloak, and allowing these identities to access office 365 apps like sharepoint.

I believe there are SPI interfaces in Keycloak to do custom federation, but out of the box it appears that only LDAP and Active Directory is supported (not AzureAD)

You can use identity brokering, so Keycloak will allow login with Azure AD.

Yes, but in that scenario you just add a second “login with AzureAD” option in the keycloak login screen where users can login with their windows account (and then an identity will be created in keycloak as well). In that scenario AzureAD is managing the identities, and users still need to be signed up using AzureAD / Windows accounts. In my scenario, I am onboarding the users in keycloak directly.

The scenario I am talking about is where I want to keep my identities in Keycloak (allow them to be signed up using keycloak registration flows, managing the identities in Keycloak), but provision AzureAD with those users and establish trust (via SAML) with AzureAD so that these keycloak identities can also access sharepoint.

Here’s a video where they show it using GSuite as IDP, where GSuite identities are provisioned in AzureAD, and federation is setup so that identities are managed in GSuite only, but through federation and trust given access to the office 365 environment : G-Suite (Google Workspace) authentication into Office 365 (SAML) - YouTube

In my scenario, we have an application that is using keycloak as an IDP, where we have specific login / signup flows for these identities. We just need to find a way to allow for these identities to get access to office365. Obviously for that to work these identities need to be present in AzureAD, and some kind of trust / federation needs to be established between keycloak and AzureAD/office365.

Auth0 also seems to have a feature for this : Office 365 Custom Provisioning

This concept is probably also implemented using user provisioning in azureAD (in their case using JavaScript rules), and some kind of federation / trust (I assume via WS-Fed on the office365 domain)

I am looking for something similar in KeyCloak.

Did you found a solution? I’m looking for the same.