Microsoft Entra ID SSO for Proxmox

This guide shows how to configure Proxmox VE to use Microsoft Entra ID through OpenID Connect (OIDC).

What this integration does

This setup enables Microsoft-based sign-in to the ~~Prerequisites:~~Proxmox web interface ~~Ability~~through an OIDC realm.

It does not automatically replace all node-level Linux authentication paths. Authorization inside Proxmox still needs to be designed separately.

Prerequisites

Proxmox VE is deployed and reachable via HTTPS access to Datacenter > Realms permission to create an app registration ~~with delegated standard rights. Proxmox should be installed and access to the Datacenters Realms section should be possible.~~

~~Proxmox allows various external authentication services via protocols such as Active Directory, LDAP or OpenID Connect. We will use the latter for the~~in Microsoft Entra ID

~~connection and SSO functionality.~~

Limitations

Proxmox allows the automatic creation of user objects, but is otherwise relatively limited compared to other applications, as it does not use the OAUTH 2.0 standard but only handles logins via Open ID Connect. These certain limitations must be taken into account when introducing this setup.

In addition, logins will only be possible for the Webgui. The login on the individual cluster nodes is still regulated via the Linux authentication of the individual hosts. This means that no console connections can be made to the host shells with the Microsoft Entra ID user objects.

Create App Registration

First, an app registration including client secret must be created in Microsoft Entra ID. All settings can be left at the default values. Important settings are the Redirect URIs under the Authentication tab. Set these URIs to your external

public or internal ~~domain~~DNS onname ~~which~~that ~~Proxmox~~users iscan ~~available.~~reach ~~These~~consistently ~~URIs~~ ~~will~~

Step be1: used for Microsoft Entra ID to know where to redirectCreate the userapp inregistration

~~case~~

Recommended ~~of successful logins.~~settings:

~~Authentication Type:~~Platform: Web
Redirect ~~URIs:~~URI: ~~https://proxmox.yourdomain.com/~~use the exact URL expected by your Proxmox OIDC realm configuration

~~Add~~Record the ~~corresponding~~Tenant ~~permissions~~ID, ~~for~~Client ~~OpenID Connect as delegated permissions~~ID and ~~grant~~Client ~~admin~~Secret.

~~consent~~

Step for2: yourAdd tenant.basic sign-in scopes

Typical scopes:

~~Permissions:~~openid

~~Delegated~~profile ~~OpenId permissions (email, offline_access, openid, profile)~~email

Use group claims only if your authorization design requires them.

Step 3: Create a client secret for the applicationOIDC and save the tenant ID, application ID and client secret in your password manager. You can find instructions for this information here: Get app details and grant permissions to app registration

Setup Microsoft Entra IDrealm in Proxmox Realm

~~This~~Typical ~~step requires the authentication details TenantID, ClientID, Client Secret from the first step.~~values:

~~In the Proxmox web interface select "Datacenter" -> "Realms" -> "Add" -> "OpenID Connect Server". There you can enter the credentials from Microsoft Entra ID. Enter the information as described here:~~

Issuer URL: https://login.microsoftonline.com/<yourtenantidtenant-id>/v2.0

Client ID: app registration client ID Client Key: client secret Realm: ~~This~~short islowercase ~~the id of the installed authentication provider. The name must be lower case and without special characters.~~ ~~Client ID:~~ ~~Enter your ClientID from the App Registration of your Microsoft Entra ID.~~ ~~Client Key:~~ ~~Here you have to enter the Client Secret.~~ ~~Default:~~ ~~If this box is checked, the default auth provider on the sign in screen will be this method.~~identifier Autocreate Users: If this is enabled all user who have permission to sign in to your App Registration, are automatically signed up as user objects in Proxmox. As you can still manage permissions within the App Registration this is usually recommended.optional Scopes: ~~This~~start ~~allows~~with ~~you~~standard toOIDC ~~receive~~scopes ~~multiple~~ ~~parameters~~

Best frompractices

keep one local emergency admin path do not set the OIDC realm as default before testing use a dedicated Entra security group for Proxmox access document the role mapping and post-login permission model

Summary

Microsoft Entra ID ~~user~~with ~~object. The Access Token~~Proxmox is ~~requested~~a ~~with~~solid ~~these~~OIDC-based ~~scopes~~SSO ~~at login. The default values are usually sufficient.~~

~~Prompt:~~ ~~This setting defines which action Proxmox should perform when users log in. The default options are sufficient~~pattern for the ~~Microsoft~~web ~~Entra~~UI, IDbut ~~login.~~it ~~Comment:~~must ~~Enter~~be paired with a ~~name that will be displayed to the end user on the login screen in the auth provider selection.~~

~~After these settings are properly configured your users should be able to sign into~~clear Proxmox ~~web~~authorization ~~interface. After sign in the default grouping, role~~design and ~~permissions~~a ~~mechanisms~~tested ~~from~~fallback ~~Proxmox~~admin ~~take place.~~path.