Skip to content
Kong Logo | Kong Docs Logo
  • Docs
    • Explore the API Specs
      View all API Specs View all API Specs View all API Specs arrow image
    • Documentation
      API Specs
      Kong Gateway
      Lightweight, fast, and flexible cloud-native API gateway
      Kong Konnect
      Single platform for SaaS end-to-end connectivity
      Kong AI Gateway
      Multi-LLM AI Gateway for GenAI infrastructure
      Kong Mesh
      Enterprise service mesh based on Kuma and Envoy
      decK
      Helps manage Kong’s configuration in a declarative fashion
      Kong Ingress Controller
      Works inside a Kubernetes cluster and configures Kong to proxy traffic
      Kong Gateway Operator
      Manage your Kong deployments on Kubernetes using YAML Manifests
      Insomnia
      Collaborative API development platform
  • Plugin Hub
    • Explore the Plugin Hub
      View all plugins View all plugins View all plugins arrow image
    • Functionality View all View all arrow image
      View all plugins
      AI's icon
      AI
      Govern, secure, and control AI traffic with multi-LLM AI Gateway plugins
      Authentication's icon
      Authentication
      Protect your services with an authentication layer
      Security's icon
      Security
      Protect your services with additional security layer
      Traffic Control's icon
      Traffic Control
      Manage, throttle and restrict inbound and outbound API traffic
      Serverless's icon
      Serverless
      Invoke serverless functions in combination with other plugins
      Analytics & Monitoring's icon
      Analytics & Monitoring
      Visualize, inspect and monitor APIs and microservices traffic
      Transformations's icon
      Transformations
      Transform request and responses on the fly on Kong
      Logging's icon
      Logging
      Log request and response data using the best transport for your infrastructure
  • Support
  • Community
  • Kong Academy
Get a Demo Start Free Trial
Kong Gateway
2.8.x LTS
  • Home icon
  • Kong Gateway
  • Developer Portal
  • Administration
  • Application Registration
  • Set Up External Portal Application Authentication with Azure AD and OIDC
github-edit-pageEdit this page
report-issueReport an issue
  • Kong Gateway
  • Kong Konnect
  • Kong Mesh
  • Kong AI Gateway
  • Plugin Hub
  • decK
  • Kong Ingress Controller
  • Kong Gateway Operator
  • Insomnia
  • Kuma

  • Docs contribution guidelines
  • 3.10.x (latest)
  • 3.9.x
  • 3.8.x
  • 3.7.x
  • 3.6.x
  • 3.5.x
  • 3.4.x (LTS)
  • 3.3.x
  • 2.8.x (LTS)
  • Archive (3.0.x and pre-2.8.x)
  • Introduction
    • Overview of Kong Gateway
    • Version Support Policy
    • Stages of Software Availability
    • Changelog
  • Install and Run
    • Overview
    • Kubernetes
    • Helm
    • OpenShift with Helm
    • Docker
    • Amazon Linux
    • CentOS
    • Debian
    • RHEL
    • Ubuntu
    • Migrating from OSS to EE
    • Upgrade Kong Gateway
    • Upgrade Kong Gateway OSS
    • Upgrade from 2.8 LTS to 3.4 LTS
  • Get Started
    • Quickstart Guide
      • Configuring a Service
      • Configuring a gRPC Service
      • Enabling Plugins
      • Adding Consumers
    • Comprehensive Guide
      • Prepare to Administer
      • Expose your Services
      • Protect your Services
      • Improve Performance
      • Secure Services
      • Set Up Intelligent Load Balancing
      • Manage Administrative Teams
      • Publish, Locate, and Consume Services
  • Plan and Deploy
    • Running Kong as a Non-Root User
    • Resource Sizing Guidelines
    • Hybrid Mode
      • Deploy Kong Gateway in Hybrid Mode
    • Kubernetes Deployment Options
    • Control Kong Gateway through systemd
    • Performance Testing Framework
    • DNS Considerations
    • Default Ports
    • Licenses
      • Access Your License
      • Deploy Your License
      • Monitor License Usage
    • Security
      • Start Kong Gateway Securely
      • Keyring and Data Encryption
      • Kong Security Update Process
      • Secrets Management
        • Getting Started
        • Advanced Usage
        • Backends
          • Environment Variables
          • AWS Secrets Manager
          • GCP Secret Manager
          • HashiCorp Vault
        • Reference Format
  • Configure
    • Authentication and Authorization
      • Authentication Reference
      • OpenID Connect Plugin
        • OpenID Connect with Curity
        • OpenID Connect with Azure AD
        • OpenID Connect with Google
        • OpenID Connect with Okta
        • OpenID Connect with Auth0
        • OpenID Connect with Cognito
        • OpenID Connect Plugin Reference
      • Allowing Multiple Authentication Methods
      • Auth for Kong Manager
        • Create a Super Admin
        • Configure Networking
        • Configure Kong Manager to Send Email
        • Reset Passwords and RBAC Tokens
        • Configure Workspaces
        • Basic Auth
        • LDAP
        • OIDC
        • Sessions
      • Role-based Access Control (RBAC)
        • Add a Role
        • Add a User
        • Add an Admin
      • Mapping LDAP Service Directory Groups to Kong Roles
    • Configure gRPC Plugins
    • GraphQL Quickstart
    • Logging Reference
    • Network and Firewall
  • Dev Portal
    • Overview
    • Enable the Dev Portal
    • Structure and File Types
    • Portal API Documentation
    • Working with Templates
    • Using the Editor
    • Configuration
      • Authentication
        • Basic Auth
        • Key Auth
        • OIDC
        • Sessions
        • Adding Custom Registration Fields
      • SMTP
      • Workspaces
    • Administration
      • Manage Developers
      • Developer Roles and Content Permissions
      • Application Registration
        • Authorization Provider Strategy
        • Enable Application Registration
        • Enable Key Authentication for Application Registration
        • External OAuth2 Support
        • Set up Okta and Kong for external OAuth
        • Set Up Azure AD and Kong for External Authentication
        • Manage Applications
    • Customization
      • Easy Theme Editing
      • Migrating Templates Between Workspaces
      • Markdown Rendering Module
      • Customizing Portal Emails
      • Adding and Using JavaScript Assets
      • Single Page App in Dev Portal
      • Alternate OpenAPI Renderer
    • Helpers CLI
  • Monitor
    • Kong Vitals
      • Metrics
      • Reports
      • Vitals with InfluxDB
      • Vitals with Prometheus
      • Estimate Vitals Storage in PostgreSQL
    • Prometheus plugin
    • Zipkin plugin
  • Reference
    • Admin API
      • DB-less Mode
      • Declarative Configuration
      • Supported Content Types
      • Information Routes
      • Health Routes
      • Tags
      • Service Object
      • Route Object
      • Consumer Object
      • Plugin Object
      • Certificate Object
      • CA Certificate Object
      • SNI Object
      • Upstream Object
      • Target Object
      • Vaults Beta
      • Licenses
        • Licenses Reference
        • Licenses Examples
      • Workspaces
        • Workspaces Reference
        • Workspace Examples
      • RBAC
        • RBAC Reference
        • RBAC Examples
      • Admins
        • API Reference
        • Examples
      • Developers
      • Consumer Groups
        • API Reference
        • Examples
      • Event Hooks
        • Event Hooks Reference
        • Examples
      • Audit Logging
      • Keyring and Data Encryption
      • Securing the Admin API
    • DB-less and Declarative Configuration
    • Configuration Reference
    • CLI Reference
    • Load Balancing Reference
    • Proxy Reference
    • Rate Limiting Library
    • Health Checks and Circuit Breakers Reference
    • Clustering Reference
    • Plugin Development Kit
      • kong.client
      • kong.client.tls
      • kong.cluster
      • kong.ctx
      • kong.ip
      • kong.log
      • kong.nginx
      • kong.node
      • kong.request
      • kong.response
      • kong.router
      • kong.service
      • kong.service.request
      • kong.service.response
      • kong.table
      • kong.vault
    • Plugin Development Guide
      • Introduction
      • File structure
      • Implementing custom logic
      • Plugin configuration
      • Accessing the datastore
      • Storing custom entities
      • Caching custom entities
      • Extending the Admin API
      • Writing tests
      • (un)Installing your plugin
    • Plugins in Other Languages
    • File Permissions Reference
enterprise-switcher-icon Switch to OSS
On this pageOn this page
  • Prerequisites
  • Create an Application in Azure
  • Create a Service in Kong
  • Create a Route in Kong
  • Map the OIDC and Application Registration Plugins to the Service
    • Step 1: Configure the OIDC plugin for the Service
    • Step 2: Configure the Application Registration plugin for the Service
    • Step 3: Get an access token from Azure
    • Step 4: Convert an access token into a JWT token
  • Create an Application in Kong
  • Test your Authentication Flows with your Azure Application
    • Test Client Credentials Flow
    • Test Authorization Code Flow
  • Troubleshoot
You are browsing documentation for an older version. See the latest documentation here.

Set Up External Portal Application Authentication with Azure AD and OIDC
Available with Kong Gateway Enterprise subscription - Contact Sales

These instructions help you set up Azure AD as your third-party identity provider for use with the Kong OIDC and Portal Application Registration plugins.

Prerequisites

  • The portal_app_auth configuration option is configured for your OAuth provider and strategy (kong-oauth2 or external-oauth2). See Configure the Authorization Provider Strategy for the Portal Application Registration plugin.

Create an Application in Azure

  1. Within Azure, go to the App registrations service and register a new application.

  2. In Certificates & secrets, create a Client secret and save it in a secure location. You can only view the secret once.

  3. Under Manifest, update accessTokenAcceptedVersion=2 (default is null). The JSON for your application should look similar to this example:

Create a Service in Kong

Using cURL
Using HTTPie
curl -i -X PUT http://localhost:8001/services/httpbin-service-azure \
  --data 'url=https://httpbin.konghq.com/anything'
http PUT :8001/services/httpbin-service-azure \
  url=https://httpbin.konghq.com/anything

Create a Route in Kong

Using cURL
Using HTTPie
curl -i -X PUT http://localhost:8001/services/httpbin-service-azure/routes/httpbin-route-azure \
  --data 'paths=/httpbin-azure'
http -f PUT :8001/services/httpbin-service-azure/routes/httpbin-route-azure \
  paths=/httpbin-azure

Map the OIDC and Application Registration Plugins to the Service

Map the OpenID Connect and Application Registration plugins to the Service. The plugins must be applied to a Service to work properly.

Step 1: Configure the OIDC plugin for the Service

Using cURL
Using HTTPie
curl -X POST http://localhost:8001/services/httpbin-service-azure/plugins \
  --data name=openid-connect \
  --data config.issuer="https://login.microsoftonline.com/<your_tenant_id>/v2.0" \
  --data config.display_errors="true" \
  --data config.client_id="<your_client_id>" \
  --data config.client_secret="<your_client_secret>" \
  --data config.redirect_uri="https://example.com/api" \
  --data config.consumer_claim=aud \
  --data config.scopes="openid" \
  --data config.scopes="YOUR_CLIENT_ID/.default" \
  --data config.verify_parameters="false"
http -f :8001/services/httpbin-service-azure/plugins \
  name=openid-connect \
  config.issuer=https://login.microsoftonline.com/<your_tenant_id>/v2.0 \
  config.display_errors=true \
  config.client_id=<your_client_id> \
  config.client_secret="<your_client_secret>" \
  config.redirect_uri="https://example.com/api" \
  config.consumer_claim=aud \
  config.scopes=openid \
  config.scopes=<your_client_id>/.default \
  config.verify_parameters=false

For more information, see OIDC plugin.

Step 2: Configure the Application Registration plugin for the Service

Using cURL
Using HTTPie
curl -X POST http://localhost:8001/services/httpbin-service-azure/plugins \
  --data "name=application-registration"  \
  --data "config.auto_approve=true" \
  --data "config.description=Uses consumer claim with various values (sub, aud, etc.) as registration id to support different flows and use cases." \
  --data "config.display_name=For Azure" \
  --data "config.show_issuer=true"
http -f :8001/services/httpbin-service-azure/plugins \
  name=application-registration \
  config.auto_approve=true \
  config.display_name="For Azure" \
  config.description="Uses consumer claim with various values (sub, aud, etc.) as registration id to support different flows and use cases." \
  config.show_issuer=true

Step 3: Get an access token from Azure

Get an access token using the Client Credential workflow and convert the token into a JSON Web Token (JWT). Replace the placeholder values with your values for <your_tenant_id>, <your_client_id>,<your_client_secret>, and <admin-hostname>.

Get an access token from Azure:

Using cURL
Using HTTPie
curl -X POST https://login.microsoftonline.com/<your_tenant_id>/oauth2/v2.0/token \
  --data scope="<your_client_id>/.default" \
  --data grant_type="client_credentials" \
  --data client_id="<your_client_id>" \
  --data client_secret="<your_client_secret>" \
https -f POST "https://login.microsoftonline.com/<your_tenant_id>/oauth2/v2.0/token" \
  scope=<your_client_id>/.default \
  grant_type=client_credentials \
  -a <your_client_id>:<your_client_secret>

Step 4: Convert an access token into a JWT token

  1. Paste the access token obtained from the previous step into JWT.

  2. Click Share JWT to copy the value for the aud (audience) claim to your clipboard. You will use the aud value as your Reference ID in the next procedure.

Create an Application in Kong

  1. Log in to your Dev Portal and create a new application:
    1. Select the My Apps menu -> New Application.
    2. Enter the Name of your Azure application.
    3. Paste the aud value generated in JWT in the Reference ID field.
    4. (Optional) Enter a Description.
  2. Click Create.

  3. After you create your application, make sure you activate the Service. In the Services section of the Application Dashboard, click Activate on the Service you want to use.

    Because you enabled Auto-approve on the associated Application Registration Plugin, an admin won’t need to approve the request.

Test your Authentication Flows with your Azure Application

Follow these instructions to test your client credentials or authorization code flows with your Azure AD implementation.

Test Client Credentials Flow

Step 1: Get a token

Using cURL
Using HTTPie
$ curl -X POST "https://login.microsoftonline.com/<your_tenant_id>/oauth2/v2.0/token" \
--data scope="<your_client_id>/.default" \
--data grant_type="client_credentials" \
--data client_id="<your_client_id>" \
--data client_secret="<your_client_secret>"
$ https -f POST "https://login.microsoftonline.com/<your_tenant_id>/oauth2/v2.0/token" \
  scope=<your_client_id>/.default \
  grant_type=client_credentials \
  -a <your_client_id>:<your_client_secret> \
  --verify NO

Step 2: Use the token in an authorization header to retrieve the data

Using cURL
Using HTTPie
curl --header 'Authorization: bearer <token_from_above>' '<admin-hostname>:8000/httpbin-azure'
http :8000/httpbin-azure Authorization:'bearer <token_from_above>'

Replace <token_from_above> with the bearer token you generated in the previous step.

Test Authorization Code Flow

In your browser, go to http://localhost:8000/httpbin-azure.

You should be guided through a log in process within Azure and then the results delivered in your browser.

Troubleshoot

If you encounter any issues, review your data plane logs. Because you enabled display_errors=true on the OpenID Connect Plugin, you will receive more verbose error messages that can help pinpoint any issues.

Thank you for your feedback.
Was this page useful?
Too much on your plate? close cta icon
More features, less infrastructure with Kong Konnect. 1M requests per month for free.
Try it for Free
  • Kong
    Powering the API world

    Increase developer productivity, security, and performance at scale with the unified platform for API management, service mesh, and ingress controller.

    • Products
      • Kong Konnect
      • Kong Gateway Enterprise
      • Kong Gateway
      • Kong Mesh
      • Kong Ingress Controller
      • Kong Insomnia
      • Product Updates
      • Get Started
    • Documentation
      • Kong Konnect Docs
      • Kong Gateway Docs
      • Kong Mesh Docs
      • Kong Insomnia Docs
      • Kong Konnect Plugin Hub
    • Open Source
      • Kong Gateway
      • Kuma
      • Insomnia
      • Kong Community
    • Company
      • About Kong
      • Customers
      • Careers
      • Press
      • Events
      • Contact
  • Terms• Privacy• Trust and Compliance
© Kong Inc. 2025