Skip to main content

Microsoft Entra ID SSO for Proxmox

This guide shows how to configure Proxmox VE to use Microsoft Entra ID through OpenID Connect (OIDC).

What this integration does

This setup enables Microsoft-based sign-in to the Proxmox web interface through an OIDC realm.

It does not automatically replace all node-level Linux authentication paths. Authorization inside Proxmox still needs to be designed separately.

Prerequisites

  • Proxmox VE is deployed and reachable via HTTPS
  • access to Datacenter > Realms
  • permission to create an app registration in Microsoft Entra ID
  • public or internal DNS name that users can reach consistently

Step 1: Create the app registration

  • Platform: Web
  • Redirect URI: use the exact URL expected by your Proxmox OIDC realm configuration

Record the Tenant ID, Client ID and Client Secret.

Step 2: Add basic sign-in scopes

Typical scopes:

  • openid
  • profile
  • email

Use group claims only if your authorization design requires them.

Step 3: Create the OIDC realm in Proxmox

Typical values:

  • Issuer URL: https://login.microsoftonline.com/<tenant-id>/v2.0
  • Client ID: app registration client ID
  • Client Key: client secret
  • Realm: short lowercase identifier
  • Autocreate Users: optional
  • Scopes: start with standard OIDC scopes

Best practices

  • keep one local emergency admin path
  • do not set the OIDC realm as default before testing
  • use a dedicated Entra security group for Proxmox access
  • document the role mapping and post-login permission model

Summary

Microsoft Entra ID with Proxmox is a solid OIDC-based SSO pattern for the web UI, but it must be paired with a clear Proxmox authorization design and a tested fallback admin path.

Back to top