Is "Microsoft" Identity provider using OpenID Connect v1.0?

Hi everyone,

Bit of context first : I have an Active Directory as my Identity Provider working fine, but i was looking for a way to retrieve Active Directory group/role directly into Keycloak access_token

After some carefull research i find out the following to topic :

however i don’t have the possibility to select “Claim to role”, since i am using the “microsoft” Identity Provider inside keycloak

In the following topic (Groups from Azure AD) it seems to be possible when not using the “microsoft” template, but using OpenId Connect V1.0. Does the “Microsoft” template use it to ? Or is it less secured?

To get groups from Microsoft, you need to use the OpenId Connect.

You can use the OpenId Autodiscovery mechanism. The url for microsoft is at<TENANT_ID>/.well-known/openid-configuration where TENANT_ID is your Azure AD Tenant ID (info avaiable at the azure AD)

1 Like

The built-in “social” provider “Microsoft” is for usage with private Microsoft accounts only, as it has hardcoded urls and paths in it. If you want to have anything customized, you have to configure a generic OIDC provider (or also SAML, as AAD also supports SAML).

1 Like