Microsoft Entra ID + OpenID Configuration

This page outlines how to integrate Azure Active Directory with Cribl Stream’s SSO/OpenID Connect authentication. <!– should the 5 instances of Azure Active Directory on this page be replaced with Microsoft Entra ID? ->

Configure Microsoft Entra ID App

Start at the Azure portal to configure an OpenID Connect provider: https://portal.azure.com/.

Register Your Microsoft Entra ID App

  1. Open the Microsoft Entra ID Service.

  2. In the left nav’s Manage section, select App registrations.

  3. Add a new registration. For details, see Microsoft’s Quickstart: Register an Application topic.
    In the example below, substitute the appropriate callback URL for your own Cribl Stream Leader instance: https://leader.cribl.io:9000/api/v1/auth/authorization-code/callback

Registering a Microsoft Entra ID app
Registering a Microsoft Entra ID app

Get the Microsoft Entra ID App’s Basic Credentials

You’ll need to copy and paste these credentials into Cribl Stream’s Authentication page below.

  1. You can find the OIDC Client ID on the new app’s Overview page, as the Application (client) ID.
Finding the OIDC Client ID
Finding the OIDC Client ID
  1. Click the Endpoints button at the page top to display the OAuth endpoints. You can use either the v2 or the v1 endpoints.
Copying OAuth 2 v2 endpoints
Copying OAuth 2 v2 endpoints

Create and Copy a Client Secret

  1. To create a client secret: From the Azure portal’s left nav, select Certificate & secrets. Then select New client secret.
Accessing client secrets
Accessing client secrets
  1. Add a new client secret with a descriptive name, and an expiration timeframe.
Adding a client secret
Adding a client secret

  1. Click Add.

  2. Immediately copy the Value and Secret ID from the resulting page. You’ll need to paste the Value into Cribl Stream’s Authentication > Client secret field below.

Copy that secret!
Copy that secret!

This is the only time the secret is shown! Make sure you copy it while it’s visible. (If you missed your chance, you can start over by creating a new secret.)

Configure Token and Claims

Here, you’ll add the groups claim to the OIDC ID token.

  1. From the Azure portal’s left nav, select Token configuration, then select Add groups claim.
Configuring a token
Configuring a token
  1. Configure the groups claim as necessary, then click Add.
Editing the groups claim
Editing the groups claim

Unless you synchronize Azure AD with your on-premises Active Directory, AD will return only GUIDs for your group names. If you’ve synchronized, you’ll then be able to configure returning the sAMAccountName instead.

In the Group claims modal (shown below), check the Emit group name for cloud-only groups checkbox to ensure that sAMAccountName is added to the Group attribute.

Editing the groups claim
Editing the groups claim
  1. Your token is now configured, and you’re all done on the Azure side.
Microsoft Entra ID token configuration complete
Microsoft Entra ID token configuration complete

Configure Cribl Stream Authentication

Switch to Cribl Stream, and navigate to its Settings > [Global Settings >] Access Management > Authentication page. Configure this as indicated below (with reactions):

  • Type: OpenID Connect. This will expose relevant fields, setting several default values and placeholders.

  • Provider name: Enter an arbitrary identifier for this Azure AD integration.

  • Audience: Enter your Cribl Stream Leader instance’s base URL. Use the format: https://<your‑domain.ext>:9000 (do not use a trailing slash).

  • Client ID: Enter your Microsoft Entra ID Application (client) ID. (In the Azure portal, see above to copy this from your app’s Overview page.)

  • Client secret: Enter the Client secret > Value that you earlier generated and copied from the Azure app’s Certificates & secrets page.

  • Scope: Accept the default openid profile email scopes.

  • Authentication URL: Paste the OAuth 2.0 authorization endpoint that you copied above from the Azure app’s Overview > Endpoints drawer.

  • Token URL: Paste the OAuth 2.0 token endpoint that you copied above from the Azure app’s Overview > Endpoints drawer.

  • User Info URL, Logout URL: Leave both fields blank.

  • User identifier: Adjust this based on the endpoint you choose (v1 or v2) above. In v2, the preferred_username, name, and email fields are set, matching this field’s default values.
    In v1, only the name field is included in the token by default, so an acceptable entry here might be: `${unique_name || upn || username || name}`. You can check the token fields returned by enabling debug-level logging on Cribl Stream’s auth:sso channel.

  • Change the Filter type to User info filter.

  • Optionally, enable Allow local auth as a fallback login method.

Sample Cribl Stream Authentication Settings for Azure AD (v2 endpoints)
Sample Cribl Stream Authentication Settings for Azure AD (v2 endpoints)
Sample User identifier entry for v1 endpoints
Sample User identifier entry for v1 endpoints

Map Microsoft Entra ID Groups to Cribl Stream Roles

Next, map your Microsoft Entra ID groups to Cribl Stream Roles. The group names might appear as GUIDs. You can translate these on the Microsoft Entra ID Groups page.

Unless you synchronize Azure AD with your on-premises Active Directory, you will need to obtain the Group GUIDs from the Azure AD Groups page. Place these GUIDs in the mappings box and then choose the appropriate Cribl Stream Role. Here is a simple example.

Microsoft Entra ID groups&hellip;
Microsoft Entra ID groups…
&hellip;mapped to Cribl Stream Roles
…mapped to Cribl Stream Roles