Hi,
I have added Azure AD with OIDC configuration as an Identity Provider in Keycloak.
I would like to achieve this case:
1. Getting all users from Azure AD using Microsoft Graph.
2. Adding users manually by sending multiple ‘create user’ requests. I want to set some custom attributes for each user.
3. Linking each user with Azure AD (registered as an IdP).
The problem is that I can’t find the user ID that is required to link the user (point 3.).
I know that I need to click “Link account” and then paste the User ID (screenshots below), but I don’t have the ID. Do you have any ideas how to get this ID?
Azure AD (or “Entra ID” as it is named currently) behaves, let’s say “opinionated”…
I don’t know a way to retrieve the required userId here, as Azure creates for a user client (in Azure: app registration) specific userIds for every user. So, it’s unfortunately not the global userId in Azure AD / Entra ID, but a specific one. And “I don’t know” here means not that there is not a way somewhere hidden down the road, but it’s not obvious and I searched a lot. Perhaps somebody knows how to find this ID somewhere.
Hi, thank you for the answer.
I hope someone will find a solution/workaround in the future.
My second idea is to make a possibility for users that authenticates for the first time to connect their Entra ID account with a Keycloak account without any additional password.
It would work like this:
Get all users using MS Graph.
Adding users to Keycloak.
Each user links his/her account during first login. No password is required, just the “Add to existing account” click (of course Entra ID auth is before this).
Is it it possible? E.g. using authentication flows?
This should work ootb, but with sending a mail to the user with a link, with that the accounts will be joined.
If you just want to join the Entra ID account to the local one, you would have to adjust the “first broker login” flow and perhaps add a custom authenticator executor.
Thank you very much. I found a way to configure flow properly.
The final solution meets my expectations:
Users are imported using MS Graph.
Some custom attributes/roles are set during users creation.
When user logs in (with Entra ID), the Keycloak account links with Entra ID and users does not receive any confusing information/emails/additional approval flows etc.
