How to use Keycloak as an identity provider with Office365 and login to applications like PowerApps

Hello together,

I need to connect my Keycloak Server to Office365, but it needs to be the current Identity Provider and not Office365.

In my scenario a user login via KeyCloak and then the question is going to O365 and then coming back and the user can use all the things like Login to SharePoint or PowerAutomate.

I found some advice for Office365, but not the other way round. Do the user need to be in Azure AD, when he/she is authenticating via KeyCloak?

Maybe you can help me! Thanks in advance!

Best regards


I’m not that very familiar with office365, but I’m quite sure microsoft demands azure AD as primary authenticator, with the option to use an external identity provider, but only for external users (invitees).

That means you can add users to your Azure AD with their own company email and credentials. Example:

  • Your azure ad domain is, Your users from domain login via Azure AD
  • You have a business partner Bob ( who you need to invite into a teams groups for collaboration. You add as an external user.
  • You set up an external identity provider using SAML (or google or facebook) for

Now when Bob needs to access the Teams group, he goes to, enter his e-mail, microsoft detects that a user exists for him in your tenant and offers Bob the option to log into using his SAML provider (the`s keycloak).

For all I know, you cannot configure users to login into office 365 using an external provider, you’d have sync the users to Azure AD somehow.

Thanks for the answer. If only that is possible. My idea that the user logs in into Keycloak with the Office365 credentials and then the user should redirected to a specific url. Is that possible?

e.g. Laura logs in into Keycloak and KeyCloak imports the user. Then she needs to be redirected to PowerApps.

Best regards