What is the best way to federate users from Azure AD to Keycloak?

I haven’t found a clear answer addressing this topic, which is surprising given that it seems like a common scenario. Can anyone provide some guidance or resources for setting up this type of user federation?

I have done some research and learned that Keycloak can accept Kerberos or LDAP user federation, but this source* claims that Azure AD does not support LDAP. Despite this, I haven’t found a clear “best option” for this process. I’m hoping someone who has actually set up this type of federation can provide some guidance or resources to help me achieve this goal.

Do you have to use user federation? I often use identity brokering by setting up a SAML Identity Provider for Azure AD. Looks like there are several articles and videos out there on how to set this up.

1 Like

You can also talk to Azure AD via OIDC, not only SAML…
E.g. there’s this video: :wink:


thanks Niko, this video is very well done and clear!

At this point I only need to also sync some custom user attributes from AAD to KC (i.e. address, phone, picture). Do you have a tutorial on how to accomplish that?

→ Ideally, those custom attributes would appear in Keycloak under User → Attributes
→ If not possible, it would also be okay if the custom attributes would only be mapped to an Access Token


Just use a mapper inside the IdP configuration. A simple user attribute mapper should do the trick. But you also have to configure AAD to send this information in their tokens and/or user info endpoint, of course, otherwise Keycloak doesn’t receive the information.

1 Like

Thanks for the reply. That is really helpful. But I am still wondering on how to find the correct mapping values, i.e. what are the attribute names that are coming from AAD? (Sorry I am quite new to Keycloak :sweat_smile:)

This depends on how the token in AAD is configured. As I’m not that deep into AAD, I can’t tell you. Best option would be to ask an Azure admin…
Or store the tokens you receive from your IdP and retrieve it with a separate request from Keycloak. You can find this in the docs about how to do this.

These are the Azure AD defaults. You can configure these, but this is how they are initially set.

1 Like

This only is valid for SAML, when using OIDC you’ll probably have other claims, hopefully OIDC standard claims, but not sure about Microsoft doing things like designed…


Correct. Sorry I wasn’t clear. Those are the defaults for SAML. I haven’t tested OIDC.


thank you for your effort @dasniko @xgp

since i have not yet managed to pass additional claims such as work location, phone, picture etc. from Azure AD to Keycloak with Identity Provision, i have decided on a different strategy:

I will now use only the most necessary (and standard) claims and only sync group memberships. The new goal is to use Keycloak only as Auth Server and to use only the most necessary user data.

Additional user data that is needed in a client app (e.g. work location, phone, picture) will be included via MS Graph.

What do you think about this approach? Is this more like the way Keycloak is supposed to work?

EDIT: The main difficulty at this point is not really with Keycloak, since I now understand how to use the IdP Mapper. The main difficulty is to configure the AAD token and finding out what claims are available and how they are exactly named from the AAD side.

1 Like

The video is pretty straight forward, but I’ve tried the configuration several times and continue to get errors when SSO with OIDC:

  • From application
    “Unexpected error when authenticating with identity provider”

  • From Keycloack Event logs:

Any suggestions?