Microsoft Entra ID SSO for Proxmox

~~This guide shows how to configure Proxmox VE to use Microsoft Entra ID through OpenID Connect (OIDC).~~

What this integration does

~~This setup enables Microsoft-based sign-in to the~~ ~~Proxmox web interface~~Prerequisites: ~~through an OIDC realm.~~

~~It does not automatically replace all node-level Linux authentication paths. Authorization inside Proxmox still needs to be designed separately.~~

Prerequisites

~~Proxmox VE is deployed and reachable via HTTPS~~ ~~access to~~ ~~Datacenter > Realms~~ ~~permission~~Ability to create an app registration with delegated standard rights. Proxmox should be installed and access to the Datacenters Realms section should be possible.

Proxmox allows various external authentication services via protocols such as Active Directory, LDAP or OpenID Connect. We will use the latter for the Microsoft Entra ID connection and SSO functionality.

Limitations

Proxmox allows the automatic creation of user objects, but is otherwise relatively limited compared to other applications, as it does not use the OAUTH 2.0 standard but only handles logins via Open ID Connect. These certain limitations must be taken into account when introducing this setup.

In addition, logins will only be possible for the Webgui. The login on the individual cluster nodes is still regulated via the Linux authentication of the individual hosts. This means that no console connections can be made to the host shells with the Microsoft Entra ID user objects.

Create App Registration

First, an app registration including client secret must be created in Microsoft Entra ID

ID. ~~public~~All settings can be left at the default values. Important settings are the Redirect URIs under the Authentication tab. Set these URIs to your external or internal ~~DNS~~domain ~~name~~on ~~that~~which ~~users~~Proxmox ~~can~~is ~~reach~~available. ~~consistently~~These URIs

Stepwill 1:be Createused for Microsoft Entra ID to know where to redirect the appuser registration

~~Recommended~~case ~~settings:~~of successful logins.

~~Platform:~~Authentication Type: Web
Redirect ~~URI:~~URIs: ~~use the exact URL expected by your Proxmox OIDC realm configuration~~https://proxmox.yourdomain.com/

~~Record~~

Add the ~~Tenant~~corresponding permissions for OpenID Connect as delegated permissions and grant admin consent for your tenant.

Permissions: Delegated OpenId permissions (email, offline_access, openid, profile)

Create a client secret for the application and save the tenant ID, ~~Client~~application ID and ~~Client~~client ~~Secret.~~

secret

Step 2: Add basic sign-in scopes

~~Typical scopes:~~

openid profile email

~~Use group claims only if~~ your ~~authorization~~password ~~design~~manager. ~~requires~~You ~~them.~~can find instructions for this information here: Get app details and grant permissions to app registration

Step

Setup 3:Microsoft CreateEntra the OIDC realmID in Proxmox

Realm

~~Typical~~This ~~values:~~step requires the authentication details TenantID, ClientID, Client Secret from the first step.

In the Proxmox web interface select "Datacenter" -> "Realms" -> "Add" -> "OpenID Connect Server". There you can enter the credentials from Microsoft Entra ID. Enter the information as described here:

Issuer URL: https://login.microsoftonline.com/<tenant-idyourtenantid>/v2.0

Realm: This is the id of the installed authentication provider. The name must be lower case and without special characters. Client ID: Enter ~~app~~your ~~registration~~ClientID ~~client~~from IDthe App Registration of your Microsoft Entra ID. Client Key: Here ~~client~~you ~~secret~~have to enter the Client Secret. ~~Realm:~~Default: ~~short~~If ~~lowercase~~this ~~identifier~~box is checked, the default auth provider on the sign in screen will be this method. Autocreate Users: ~~optional~~If this is enabled all user who have permission to sign in to your App Registration, are automatically signed up as user objects in Proxmox. As you can still manage permissions within the App Registration this is usually recommended. Scopes: This ~~start~~allows ~~with~~you ~~standard~~to ~~OIDC~~receive ~~scopes~~multiple parameters

Best practices

~~keep one local emergency admin path~~ ~~do not set~~from the ~~OIDC realm as default before testing~~ ~~use a dedicated Entra security group for Proxmox access~~ ~~document the role mapping and post-login permission model~~

Summary

Microsoft Entra ID user object. The Access Token is requested with these scopes at login. The default values are usually sufficient.

Prompt: This setting defines which action Proxmox isshould aperform ~~solid~~when ~~OIDC-based~~users ~~SSO~~log ~~pattern~~in. The default options are sufficient for the ~~web~~Microsoft ~~UI,~~Entra ~~but~~ID itlogin. ~~must~~Comment: Enter a name that will be ~~paired~~displayed ~~with~~to athe ~~clear~~end user on the login screen in the auth provider selection.

After these settings are properly configured your users should be able to sign into Proxmox ~~authorization~~web ~~design~~interface. After sign in the default grouping, role and apermissions ~~tested~~mechanisms ~~fallback~~from ~~admin~~Proxmox ~~path.~~take place.