Microsoft Entra ID SSO for Portainer
This guide shows how to integrate Portainer with Microsoft Entra ID using the built-in Microsoft OAuth provider.
Important licensing note
SSO features depend on the Portainer edition and licensing model available for your deployment. Validate your current Portainer edition and entitlement before starting.
Why integrate Portainer with Entra ID
Benefits:
- central authentication
- easier user lifecycle management
- optional automatic user provisioning
- team mapping based on group claims
- reduced password sprawl
Prerequisites
- Portainer is reachable over HTTPS
- administrator access to Portainer
- permission to create an app registration
- Microsoft Entra tenant available
Step 1: Create the app registration
Recommended settings:
- Platform: Web
- Redirect URI:
https://<portainer-domain>:9443
Record the Tenant ID, Application ID and Client Secret.
Step 2: Configure permissions
Use standard delegated sign-in permissions:
openidprofileemail
If you plan to use group-based team membership, also configure group claims in the token.
Step 3: Configure Portainer authentication
In Portainer go to Settings > Authentication > OAuth > Microsoft and configure:
- Tenant ID
- Application ID
- Application key
- SSO
- automatic user provisioning as needed
Warning Do not hide the internal authentication prompt until the external login is fully tested.
Step 4: Optional team mapping
If you want automated authorization:
- enable group claims in the Entra app
- use claim-based or regex-based mapping in Portainer
- for Entra groups, use the group Object ID, not the display name, where Portainer expects the claim value
Summary
Portainer and Microsoft Entra ID work well together when you combine a clean web app registration, standard delegated OIDC permissions, optional group claims and careful fallback access planning.