Azure (Deprecated) - Oauth2 Proxy

:::note This is the legacy and deprecated provider for Azure, use Microsoft Entra ID if possible. :::

Config Options

Flag	Toml Field	Type	Description	Default
`--azure-tenant`	`azure_tenant`	string	go to a tenant-specific or common (tenant-independent) endpoint.	`"common"`
`--resource`	`resource`	string	The resource that is protected (Azure AD only)

Usage

Add an application: go to https://portal.azure.com, choose Azure Active Directory, select App registrations and then click on New registration.
Pick a name, check the supported account type(single-tenant, multi-tenant, etc). In the Redirect URI section create a new Web platform entry for each app that you want to protect by the oauth2 proxy(e.g. https://internal.yourcompanycom/oauth2/callback). Click Register.
Next we need to add group read permissions for the app registration, on the API Permissions page of the app, click on Add a permission, select Microsoft Graph, then select Application permissions, then click on Group and select Group.Read.All. Hit Add permissions and then on Grant admin consent (you might need an admin to do this).

IMPORTANT: Even if this permission is listed with "Admin consent required=No" the consent might actually be required, due to AAD policies you won't be able to see. If you get a "Need admin approval" during login, most likely this is what you're missing! 4. Next, if you are planning to use v2.0 Azure Auth endpoint, go to the Manifest page and set "accessTokenAcceptedVersion": 2 in the App registration manifest file. 5. On the Certificates & secrets page of the app, add a new client secret and note down the value after hitting Add. 6. Configure the proxy with:

for V1 Azure Auth endpoint (Azure Active Directory Endpoints - https://login.microsoftonline.com/common/oauth2/authorize)

   --provider=azure
   --client-id=<application ID from step 3>
   --client-secret=<value from step 5>
   --azure-tenant={tenant-id}
   --oidc-issuer-url=https://sts.windows.net/{tenant-id}/

for V2 Azure Auth endpoint (Microsoft Identity Platform Endpoints - https://login.microsoftonline.com/common/oauth2/v2.0/authorize)

   --provider=azure
   --client-id=<application ID from step 3>
   --client-secret=<value from step 5>
   --azure-tenant={tenant-id}
   --oidc-issuer-url=https://login.microsoftonline.com/{tenant-id}/v2.0

Notes:

When using v2.0 Azure Auth endpoint (https://login.microsoftonline.com/{tenant-id}/v2.0) as --oidc_issuer_url, in conjunction with --resource flag, be sure to append /.default at the end of the resource name. See https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-permissions-and-consent#the-default-scope for more details.
When using the Azure Auth provider with nginx and the cookie session store you may find the cookie is too large and doesn't get passed through correctly. Increasing the proxy_buffer_size in nginx or implementing the redis session storage should resolve this.