Microsoft Entra ID SSO for Proxmox

This guide shows how to configure Proxmox VE to use Microsoft Entra ID through OpenID Connect (OIDC).

What this integration does

This setup enables Microsoft-based sign-in to the Proxmox web interface through an OIDC realm.

It does not automatically replace all node-level Linux authentication paths. Authorization inside Proxmox still needs to be designed separately.

Prerequisites

Proxmox VE is deployed and reachable via HTTPS
access to Datacenter > Realms
permission to create an app registration in Microsoft Entra ID
public or internal DNS name that users can reach consistently

Step 1: Create the app registration

Recommended settings:

Platform: Web
Redirect URI: use the exact URL expected by your Proxmox OIDC realm configuration

Record the Tenant ID, Client ID and Client Secret.

Step 2: Add basic sign-in scopes

Typical scopes:

openid
profile
email

Use group claims only if your authorization design requires them.

Step 3: Create the OIDC realm in Proxmox

Typical values:

Issuer URL: https://login.microsoftonline.com/<tenant-id>/v2.0
Client ID: app registration client ID
Client Key: client secret
Realm: short lowercase identifier
Autocreate Users: optional
Scopes: start with standard OIDC scopes

Best practices

keep one local emergency admin path
do not set the OIDC realm as default before testing
use a dedicated Entra security group for Proxmox access
document the role mapping and post-login permission model

Summary

Microsoft Entra ID with Proxmox is a solid OIDC-based SSO pattern for the web UI, but it must be paired with a clear Proxmox authorization design and a tested fallback admin path.