>
    Strata Copilot
    Set Up OIDC Authentication (Azure)
    Focus
    Download PDF
    Focus
    1. Home
    2. Identity
    3. Authenticate Users with the Cloud Identity Engine
    4. Configure an OIDC Authentication Type
    5. Set Up OIDC Authentication (Azure)
    Download PDF
    Identity

    Set Up OIDC Authentication (Azure)

    Table of Contents

    Set Up OIDC Authentication (Azure)

    Learn about setting up OIDC authentication for Azure in CIE.
    1. Set up OIDC as an authentication type in the Cloud Identity Engine.
      1. Select AuthenticationAuthentication TypesAdd New Authentication Type.
      2. Set Up the OIDC authentication type.
      3. Enter a unique and descriptive Authentication Type Name for your OIDC configuration.
      4. Copy the Callback URL/ Redirect URL.
      5. Select the JWT Encryption Algorithm that you want to use.
        The default value is RS256, default for most Identity Providers.
    2. Configure Azure to use OIDC with the Cloud Identity Engine.
      1. Log in to the Azure account you want to use to connect to the Cloud Identity Engine.
      2. Click App registration.
      3. Click New registration.
      4. Enter a Name for the application.
      5. Select Accounts in this organizational directory only.
      6. For the Redirect URI, enter the domain for your Cloud Identity Engine instance and append oidc/callback
      7. Click Register to submit the configuration.
      8. Click Add user/group and add the users or groups you want to be able to configure OIDC as an authentication type (for example, service accounts).
    3. Obtain the information you need to complete your OIDC Azure configuration.
      1. Select the application you just created then click Overview.
      2. Copy the Display name and Application (client) ID and save them in a secure location.
      3. Click Add a certificate or secret.
        Don’t allow the client secret to expire. If the client secret isn’t up to date, users can’t log in using OIDC.
      4. Select Client secrets then click New client secret.
        Don’t allow the client secret to expire. If the client secret isn’t up to date, users can’t log in using OIDC.
      5. Select when the secret Expires then click Add.
        Don’t allow the client secret to expire. If the client secret isn’t up to date, users can’t log in using OIDC.
      6. Copy the Value of the client secret and save them in a secure location.
        Because the secret displays only once, be sure to copy the information before closing or leaving the page. Otherwise, you must create a new secret.
        Don’t allow the client secret to expire. If the client secret isn’t up to date, users can’t log in using OIDC.
      7. (Optional) Select OverviewEndpoints and Copy the OpenID Connect metadata document up to /2.0 (the well-known/openid-configuration section of the URL isn't necessary).
    4. Complete and submit the OIDC configuration.
      1. Enter the Display name you copied from Azure in step 3 as the Client Name.
      2. Enter the Client ID you copied from Azure in step 3.
      3. Enter the Value you copied from Azure in step 3 as the Client Secret.
      4. Enter https://login.microsoftonline.com/organizations/2.0/ as the Issuer URL.
      5. (Optional) Enter the Endpoint URL you copied in step 3.
      6. Click Test Connection and log in to confirm that the Cloud Identity Engine can reach your Azure IdP using OIDC.
        If you did not enter the OIDC Issuer URL in the previous step, the Cloud Identity Engine automatically populates the information.
      7. After confirming that the connection is successful, Submit the configuration.
        You can now use OIDC as an authentication type when you Set Up an Authentication Profile.

    © 2026 Palo Alto Networks, Inc. All rights reserved.