Azure AD

The Azure AD connector integrates the Maverics Orchestrator with Microsoft Entra ID (formerly Azure Active Directory) — enabling OIDC-based single sign-on for your applications.

Console terminology: In the Maverics Console, this section is called Identity Fabric. The YAML configuration uses the connectors key to define identity provider integrations.

Overview

The Azure AD connector uses OpenID Connect to federate authentication with Microsoft Entra ID. It uses type: azure in the connector configuration and supports standard OIDC flows — allowing you to bridge Azure AD with applications that don’t natively support modern identity protocols.

Use Cases

SSO with Microsoft 365 — Federate Azure AD authentication to legacy or on-premises applications
Hybrid identity — Bridge on-premises Active Directory (via Azure AD Connect) with cloud applications
Multi-IdP orchestration — Route authentication to Azure AD alongside other identity providers

Configuration

Console UI
Configuration

Console UI documentation is coming soon. This section will walk you through configuring this component using the Maverics Console’s visual interface, including step-by-step screenshots and field descriptions.

Azure AD configuration screen in Maverics Console

connectors:
  - name: azure
    type: azure
    oidcWellKnownURL: "https://login.microsoftonline.com/{{ env.AZURE_TENANT_ID }}/v2.0/.well-known/openid-configuration"
    oauthClientID: "{{ env.AZURE_CLIENT_ID }}"
    oauthClientSecret: <vault.azure_client_secret>
    oauthRedirectURL: "https://app.example.com/oidc/callback"
    scopes: "openid profile email"

The Azure AD well-known URL includes a tenant ID in the path: login.microsoftonline.com/{tenant-id}/v2.0/. Use the v2.0 endpoint for standard OIDC support. Replace the tenant ID with your Azure AD directory (tenant) ID from the Azure portal.

Configuration Reference

Key	Type	Required	Description
`name`	string	Yes	Unique connector identifier referenced in app policies
`type`	string	Yes	Must be `azure`
`oidcWellKnownURL`	string	Yes	OIDC discovery endpoint URL (tenant-specific)
`oauthClientID`	string	Yes	OAuth 2.0 client (application) ID from the Azure portal
`oauthClientSecret`	string	Yes	OAuth 2.0 client secret (use secret reference syntax)
`oauthRedirectURL`	string	Yes	Callback URL registered with the Azure AD app registration
`scopes`	string	No	Space-separated OAuth scopes (default: `openid profile email`)
`oauthExtraParams`	map	No	Additional query parameters for the authorization request
`tls`	string	No	Named TLS profile for provider communication

For the complete field reference including health checks, offline access, and PKCE settings, see Identity Fabric.

Troubleshooting

Verify the oidcWellKnownURL is accessible from the Orchestrator host — ensure the tenant ID is correct and the v2.0 endpoint is used
Ensure the oauthRedirectURL matches exactly what is registered in the Azure AD app registration under Authentication > Redirect URIs
Check that the client secret reference resolves correctly via your secret provider — Azure AD client secrets expire and need periodic rotation

Identity Fabric

Overview of all identity providers

Okta

OIDC connector for Okta

Custom OIDC

Generic OpenID Connect connector

ADFS

OIDC connector for ADFS

Console Administration

Orchestration

Overview

Use Cases

Configuration

Configuration Reference

Troubleshooting

Identity Fabric

Okta

Custom OIDC

ADFS

Console Administration

Orchestration

​Overview

​Use Cases

​Configuration

​Configuration Reference

​Troubleshooting

​Related Pages

Identity Fabric

Okta

Custom OIDC

ADFS

Overview

Use Cases

Configuration

Configuration Reference

Troubleshooting

Related Pages