This tutorial demonstrates how to configure Microsoft Entra ID (formerly Azure Active Directory) as the cluster identity provider in Red Hat OpenShift Service on AWS (ROSA). This tutorial walks through the creation of an Microsoft Entra ID (Entra ID) application and configure Red Hat OpenShift Service on AWS (ROSA) to authenticate using Azure AD.

This tutorial walks through the following steps:

  1. Register a new application in Entra ID for authentication.

  2. Configure the application registration in Entra ID to include optional and group claims in tokens.

  3. Configure the OpenShift cluster to use Entra ID as the identity provider.

  4. Grant additional permissions to individual groups.


Create a set of security groups and assign users by following the Microsoft documentation.

Register a new application in Entra ID for authentication

  1. Capture the OAuth callback URL

    First, construct the cluster’s OAuth callback URL and make note of it. To do so, run the following command, making sure to replace the variable specified:

    The "AAD" directory at the end of the OAuth callback URL should match the OAuth identity provider name you’ll setup later.

    $ domain=$(rosa describe cluster -c <cluster_name> | grep "DNS" | grep -oE '\S+.openshiftapps.com')
    $ echo "OAuth callback URL: https://oauth-openshift.apps.$domain/oauth2callback/AAD"
  2. Register a new application in Entra ID

    You need to create the Entra ID application itself. To do so, log in to the Azure portal, and navigate to App registrations blade, and click on "New registration" to create a new application.

    Azure Portal - App registrations blade

    Provide a name for the application, for example openshift-auth. Select "Web" from the Redirect URI dropdown and fill in the Redirect URI using the value of the OAuth callback URL you retrieved in the previous step. Once you fill in the necessary information, click "Register" to create the application.

    Azure Portal - Register an application page

    Then, click on the "Certificates & secrets" sub-blade and select "New client secret". Fill in the details request and make note of the generated client secret value, as you’ll use it in a later step. You won’t be able to retrieve it again.