Microsoft Entra ID SSO for Portainer

This guide shows how to integrate Portainer with Microsoft Entra ID using the built-in Microsoft OAuth provider.

Important licensing note

SSO features depend on the Portainer edition and licensing model available for your deployment. Validate your current Portainer edition and entitlement before starting.

Why integrate Portainer with Entra ID

Benefits:

central authentication
easier user lifecycle management
optional automatic user provisioning
team mapping based on group claims
reduced password sprawl

Prerequisites

Portainer is reachable over HTTPS
administrator access to Portainer
permission to create an app registration
Microsoft Entra tenant available

Step 1: Create the app registration

Recommended settings:

Platform: Web
Redirect URI: https://<portainer-domain>:9443

Record the Tenant ID, Application ID and Client Secret.

Step 2: Configure permissions

Use standard delegated sign-in permissions:

openid
profile
email

If you plan to use group-based team membership, also configure group claims in the token.

Step 3: Configure Portainer authentication

In Portainer go to Settings > Authentication > OAuth > Microsoft and configure:

Tenant ID
Application ID
Application key
SSO
automatic user provisioning as needed

Warning Do not hide the internal authentication prompt until the external login is fully tested.

Step 4: Optional team mapping

If you want automated authorization:

enable group claims in the Entra app
use claim-based or regex-based mapping in Portainer
for Entra groups, use the group Object ID, not the display name, where Portainer expects the claim value

Summary

Portainer and Microsoft Entra ID work well together when you combine a clean web app registration, standard delegated OIDC permissions, optional group claims and careful fallback access planning.