Skip to main content
The Microsoft Entra ID connector integrates the Maverics Orchestrator with Microsoft Entra ID (formerly Azure Active Directory) — enabling OIDC-based single sign-on for your applications.
Console terminology: In the Maverics Console, this section is called Identity Fabric. The YAML configuration uses the connectors key to define identity provider integrations.

Overview

The Microsoft Entra ID connector uses OpenID Connect to federate authentication with Microsoft Entra ID and supports standard OIDC flows — allowing you to bridge Microsoft Entra ID with applications that don’t natively support modern identity protocols.

Use Cases

  • Unify SSO across hybrid environments — Extend Microsoft Entra ID authentication to legacy and on-premises applications that don’t support modern protocols, creating seamless SSO across your entire hybrid estate
  • Rationalize identity platforms — Consolidate redundant identity providers onto Microsoft Entra ID by orchestrating gradual user migration without disrupting access to existing applications
  • Identity resilience and failover — Configure Microsoft Entra ID as a primary or secondary IdP with automatic failover routing, ensuring authentication continuity if another provider experiences an outage
  • Bridge on-premises Active Directory — Connect on-premises AD (synced via Entra ID Connect) with cloud applications through OIDC federation, unifying access across directory boundaries

Setup

To create a Microsoft Entra ID (OIDC) connector in the Maverics Console:
  1. Navigate to Identity Fabric in the Console sidebar.
  2. Click Create and select Microsoft Entra ID (OIDC).
  3. Enter a Name — this is the friendly name that identifies your provider.
  4. Enter the OIDC Well Known URL — for Microsoft Entra ID, this follows the pattern https://login.microsoftonline.com/{tenant-id}/v2.0/.well-known/openid-configuration. Replace {tenant-id} with your Microsoft Entra ID directory (tenant) ID from the Azure portal. Use the v2.0 endpoint for standard OIDC support.
  5. Enter the OAuth Client ID — the Application (client) ID from your Entra ID app registration in the Azure portal.
  6. Enter the OAuth Client Secret — the client secret from your Entra ID app registration.
  7. Under Redirect URLs, add the callback URL where Entra ID will redirect after authentication. This URL must match a Redirect URI configured in the app registration under Authentication.
  8. Optionally configure Logout Callback URLs for single logout support.
  9. Optionally set Scopes (space-separated). Default scopes are typically openid profile email.
  10. The PKCE toggle is enabled by default. Disable it only if your Entra ID app registration is not configured to support Proof Key for Code Exchange.
  11. Optionally enable Offline Access for token refresh support (Proxy apps only).
  12. Click Save.

Troubleshooting

  • Verify the oidcWellKnownURL is accessible from the Orchestrator host — ensure the tenant ID is correct and the v2.0 endpoint is used
  • Ensure the oauthRedirectURL matches exactly what is registered in the Microsoft Entra ID app registration under Authentication > Redirect URIs
  • Check that the client secret reference resolves correctly via your secret provider — Microsoft Entra ID client secrets expire and need periodic rotation

Identity Fabric

Overview of all identity providers

Okta

OIDC connector for Okta

Generic OIDC

Generic OpenID Connect connector

ADFS

OIDC connector for ADFS