Federated login using Microsoft Entra ID as IdP, but only for pre-approved customers?
We want to allow users to log in with Microsoft Entra ID, but ONLY if they come from one of the tenants we trust.
What we've tried: Following https://zitadel.com/docs/guides/integrate/identity-providers/azure-ad-oidc allows end users for one specific Entra ID tenant to log in. That's better than nothing, but it means we'd have an Entra ID login button for each tenant. That would be awkward, can Zitadel do better than that?
More details: We want to provide a generic "Log in with Entra ID" button on the login UI in Zitadel. That'll ship the user to Entra ID where they do the actual login. Coming back to Zitadel, we then want to make sure the tenant they belong to is one we have a commercial relationship with (an allow-list, basically). After that we want to grab the list of roles we are allowed to see from Entra ID and include those in the access token.
Keywords I'm told are related include using Microsoft Entra ID as external IdP, with Zitadel as Relying Party / OIDC client.
Any documentation you can point me in the direction of?
ZITADEL Docs
Open the Microsoft Identity Provider Template
3 Replies
Hi @rud, I'm an AI assistant for ZITADEL. While a team member reviews this question, I'll see if I can find relevant sources for your question.
Answer
I wasn't able to find a direct answer, here are some relevant sources:
1. Configure Entra ID as an Identity Provider in ZITADEL : Shows how to configure Entra ID with different tenant types including "Organizations" for multi-tenant scenarios, but requires specific tenant configuration per provider.
2. Map roles from external IdP to Zitadel roles : Discusses mapping roles from external IdP to ZITADEL roles, which is currently an open GitHub issue with community workarounds.
Feel free to tag @Ask Inkeep with additional questions.
Got it. Tagging @Rajat for additional help.
... the documentation linked was the one I referenced in my question 🙂
@Inkeep do you have any help regarding using Microsoft Entra ID as external IdP, with Zitadel as Relying Party / OIDC client?
Hmm, I've dug futher. By setting the Microsoft Entra configuration in Zitadel to "Organizations", and setting a similar config on the Entra ID side of the app, we can allow anyone with a business Microsoft Entra account to login. Yay!
However, I'm still missing how I interrogate the details of the user in Entra ID, and how I ensure their account is created in the appropriate Zitadel Organization. Am I barking up the wrong tree with this appropach, or getting closer? I can't tell 🙂
Alright, this seems dead, I've learned something in the process, and will be able to write a more focused question soon.
Glad I could be helpful. Feel free to create a new thread with any new questions you may have.