Skip to content

DOCS-290: Update auth-with-azure.md #109

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
harrison-akeyless merged 4 commits into from
Mar 18, 2026
Merged

DOCS-290: Update auth-with-azure.md #109

Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
e5f9674
Update auth-with-azure.md
harrison-akeyless Mar 17, 2026
acc045a
Merge branch 'v1.0' into v1.0_DOCS-290-azure-ad-auth-page-rework
harrison-akeyless Mar 18, 2026
f44e198
Update auth-with-azure.md
harrison-akeyless Mar 18, 2026
0fb6100
Merge branch 'v1.0' into v1.0_DOCS-290-azure-ad-auth-page-rework
harrison-akeyless Mar 18, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
139 changes: 88 additions & 51 deletions docs/Accessing Akeyless/access-and-authentication-methods/auth-with-azure.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -12,82 +12,119 @@ next:
Make sure to associate your new Authentication Method with an Access Role to
grant the relevant permissions within Akeyless
---
The Azure AD authentication method enables authentication to Akeyless. Akeyless treats Azure as a trusted third party and verifies entities based on a JWT signed by Azure AD for the configured tenant.
This page discusses creating and using an Azure AD-based authentication method in Akeyless.

## Prerequisites
[Azure AD](https://learn.microsoft.com/en-us/entra/fundamentals/whatis) authentication enables Azure workloads to authenticate to Akeyless by using Azure-issued identity tokens.

Depending on the Azure Identity type, enable the relevant [identity type](https://learn.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/overview) on your Azure resource.
## Creating an Azure AD Authentication Method

## Create an Azure AD Authentication Method with the CLI
This action is distinct from creating a new Akeyless account: it creates an additional Azure AD-based authentication method for an existing account.

Let's create a new Azure AD authentication method using the Akeyless CLI.
(You can also do this from the [Akeyless Console](https://docs.akeyless.io/docs/auth-with-azure#create-an-azure-ad-authentication-method-in-the-akeyless-console).)
Required Azure AD setting:

To create an Azure AD authentication method with the CLI, run the following command:
* **Bound Tenant ID:** Configure the Azure tenant ID that is allowed to authenticate by using this authentication method.

```shell
akeyless auth-method create azure-ad \
--name <Auth Method Name> \
--bound-tenant-id <Azure Tenant Id>
```

Where:

* `name`: A unique name for the authentication method. The name can include the path to the virtual folder where you want to create the new authentication method, using slash `/` separators. If the folder does not exist, it will be created together with the authentication method.

* `bound-tenant-id`: A comma-separated list of Azure tenant IDs that are allowed to authenticate to Akeyless using this authentication method.
Required Azure AD fields with default values:

You can find the complete list of additional parameters for this command in the [CLI Reference - Authentication](https://docs.akeyless.io/docs/cli-ref-auth#create) section.

## Configure Akeyless CLI With the Azure AD Authentication Method

To configure your CLI to work with Azure AD authentication, run the following command from an Azure VM with a system identity assigned:

```shell
akeyless configure --profile default --access-id <AccessID> --access-type azure_ad
akeyless get-cloud-identity --cloud-provider azure_ad
```
* **Custom Issuer URL:** Prefilled with `https://sts.windows.net/<bound-tenant-id>/`.
* **Custom JWKS URL:** Prefilled with `https://login.microsoftonline.com/common/discovery/keys`.
* **Custom Audience URL:** Prefilled with `https://management.azure.com/`.

## Create an Azure AD Authentication Method in the Akeyless Console
### Azure Identity Prerequisite

1. Log in to the Akeyless Console and go to **Users & Auth Methods > New > Azure Active Directory**.
Enable a [managed identity](https://learn.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/overview) on the Azure resource that authenticates to Akeyless. You can use either a **system-assigned** identity (tied to a single resource lifecycle) or a **user-assigned** identity (reusable across multiple resources). Make sure the identity is enabled on the source workload before running `akeyless configure` or `akeyless auth` with `azure_ad`.

2. Define a **Name** for the authentication method, and specify the **Location** as a path to the virtual folder where you want to create the new authentication method, using slash `/` separators. If the folder does not exist, it will be created together with the authentication method.
### Creating an Azure AD Authentication Method with the Console

3. Define the remaining parameters as follows:
To create a new Azure AD-based authentication method with the Console:

* **Expiration Date:** Select the access expiration date. This parameter is optional. Leave it empty for access to continue without an expiration date.
1. In the Console, under **Administration**, navigate to **Users & Auth Methods**.
2. Select **+ New**. This opens the **Create Authentication Method** form.
3. On the **Type** selection screen, select **Azure AD**, then **Next →**.
4. Enter a name for the Authentication Method in the **Name** field. Optionally, include a path using `/` separators to place the Authentication Method in a virtual folder, then select **Next →**.
5. Configure Azure AD-specific fields, such as **Bound Tenant ID**. For field details, see [Azure AD-Specific Optional Features](#azure-ad-specific-optional-features), then select **Next →**.
6. Configure Advanced Azure AD-specific fields, then select **Finish**.

* **Allowed Client IPs:** Enter a comma-separated list of CIDR blocks from which the client can issue calls to the proxy. By "client," we mean cURL, SDK, and so on. This parameter is optional. Leave it empty for unrestricted access.
### Creating an Azure AD Authentication Method with the CLI

* **Allowed Trusted Gateway IPs:** Comma-separated CIDR blocks. If specified, the Gateway using this IP range will be trusted to forward the original client IP. If empty, the Gateway's IP address will be used.
To create an Azure AD-based authentication method with the CLI:

* **Audit Log Sub Claims:** Enter a comma-separated list of sub-claims keys to be included in the Audit Logs.

* **Allowed Client Type:** Select the allowed client type that will be authorized to use this authentication method. For example, `CLI`, `SDK`, `Gateway Admin`.
```shell
akeyless auth-method create azure-ad \
--name <Azure AD Auth Method Name> \
--bound-tenant-id <Azure Tenant ID>
```

* **Bound Tenant ID:** Enter a comma-separated list of Azure tenant IDs for which access is allowed.
[Read about more parameters available when creating an Azure AD-based authentication method.](https://docs.akeyless.io/docs/cli-ref-auth#create)

* **Custom Issuer URL:** The default value is `https://sts.windows.net/`\<bound-tenant-id>.
## Using an Azure AD Authentication Method

* **Custom JWKS URL:** The URL to the JSON Web Key Set (JWKS) containing the public keys that should be used to verify any JSON Web Token (JWT) issued by the authorization server. Default value is `https://login.microsoftonline.com/common/discovery/keys`.
### Using an Azure AD Authentication Method with the CLI

* **Custom Audience URL:** The default value is `https://management.azure.com/`.
To use an Azure AD-based authentication method with a CLI profile, run the [Akeyless configure command](https://docs.akeyless.io/docs/cli-reference#configure) from an Azure resource with managed identity enabled:

* **Bound Service Principal IDs:** Enter a comma-separated list of Azure AD Service Principal IDs for which access is allowed. This parameter is optional. Leave it empty for unrestricted access.
```shell
akeyless configure \
--profile default \
--access-id <Access ID> \
--access-type azure_ad
```

* **Bound Subscriptions IDs:** Enter a comma-separated list of subscription IDs for which access is allowed. This parameter is optional. Leave it empty for unrestricted access.
For Azure US Government or Azure China, also set `--azure-cloud` to `AzureUSGovernment` or `AzureChinaCloud`.

* **Bound Resource Groups:** Enter a comma-separated list of Resource Groups for which access is allowed. This parameter is optional. Leave it empty for unrestricted access.
> ℹ️ **Note:**
>
> Identities that require `--azure-cloud` (for example, Azure US Government or Azure China) are not supported for use as a Gateway identity.

* **Bound Resource Providers:** Enter a comma-separated list of resource providers for which access is allowed (for example, `Microsoft.Compute`, `Microsoft.ManagedIdentity`, and so on). This parameter is optional. Leave it empty for unrestricted access.
To inspect the cloud identity token, run the [Akeyless get-cloud-identity command](https://docs.akeyless.io/docs/cli-ref-auth#get-cloud-identity):

* **Bound Resource Types:** Enter a comma-separated list of resource types for which access is allowed (for example, `virtualMachines`, `userAssignedIdentities`, and so on). This parameter is optional. Leave it empty for unrestricted access.
```shell
akeyless get-cloud-identity \
--cloud-provider azure_ad
```

* **Bound Resource Names:** Enter a comma-separated list of resource names for which access is allowed (for example, a virtual machine name, scale set name, and so on). This parameter is optional. Leave it empty for unrestricted access.
For Azure US Government or Azure China, also set `--azure-cloud` to `AzureUSGovernment` or `AzureChinaCloud`.

* **Bound Resource IDs:** Enter a comma-separated list of Resource IDs for which access is allowed. This parameter is optional. Leave it empty for unrestricted access.
To authenticate and retrieve a temporary Akeyless token, run the [Akeyless auth command](https://docs.akeyless.io/docs/cli-ref-auth#auth):

* **Unique Identifier:** Optional, a unique identifier (ID) value that contains details uniquely identifying that resource. This sub-claim name is used to distinguish between different identities.
```shell
akeyless auth \
--access-id <Access ID> \
--access-type azure_ad
```

4. Click **Finish**.
For Azure US Government or Azure China, also set `--azure-cloud` to `AzureUSGovernment` or `AzureChinaCloud`.

## Optional Features

For optional features that apply across Authentication Methods, see [Common Optional Features](https://docs.akeyless.io/docs/access-and-authentication-methods#common-optional-features).

### Azure AD-Specific Optional Features

* **Bound Group IDs:** Limit authentication to one or more Azure AD group IDs.
In the Console, enter values as a comma-separated list. With the CLI, repeat `--bound-group-id`.
* **Bound Resource Groups:** Limit authentication to resources in one or more Azure resource groups.
In the Console, enter values as a comma-separated list. With the CLI, repeat `--bound-rg-id`.
* **Bound Resource IDs:** Limit authentication to one or more full Azure resource IDs.
In the Console, enter values as a comma-separated list. With the CLI, repeat `--bound-resource-id`.
* **Bound Resource Names:** Limit authentication to one or more Azure resource names.
In the Console, enter values as a comma-separated list. With the CLI, repeat `--bound-resource-names`.
* **Bound Resource Providers:** Limit authentication to one or more Azure resource providers (for example, `Microsoft.Compute`, `Microsoft.ManagedIdentity`).
In the Console, enter values as a comma-separated list. With the CLI, repeat `--bound-providers`.
* **Bound Resource Types:** Limit authentication to one or more Azure resource types (for example, `virtualMachines`, `userAssignedIdentities`).
In the Console, enter values as a comma-separated list. With the CLI, repeat `--bound-resource-types`.
* **Bound Service Principal IDs:** Limit authentication to one or more Azure AD service principal IDs.
In the Console, enter values as a comma-separated list. With the CLI, repeat `--bound-spid`.
* **Bound Subscription IDs:** Limit authentication to one or more Azure subscription IDs.
In the Console, enter values as a comma-separated list. With the CLI, repeat `--bound-sub-id`.
* **Custom Audience URL:** Override the expected audience claim value.
Global default is `https://management.azure.com/`.
For Azure US Government, use `https://management.usgovcloudapi.net/`.
For Azure China, use `https://management.chinacloudapi.cn/`.
CLI note: the `--audience` flag is supported but marked deprecated.
* **Custom Issuer URL:** Override the issuer URL used to validate Azure-issued tokens. If not set, the default pattern is `https://sts.windows.net/<bound-tenant-id>/`.
* **Custom JWKS URL:** Override the JSON Web Key Set (JWKS) endpoint used for JWT signature verification.
Global default is `https://login.microsoftonline.com/common/discovery/keys`.
For Azure US Government, use `https://login.microsoftonline.us/common/discovery/keys`.
For Azure China, use `https://login.chinacloudapi.cn/common/discovery/keys`.
* **Unique Identifier:** Set a sub-claim key used to uniquely identify authenticated Azure principals.
Loading