Microsoft Entra ID provider (#2390)

* Microsoft Entra ID Provider * fix typo in function name * documentation tweaks * documentation and comment tweak * docs tweaks * final tweaks * refactor: drop flag for skipping graph groups * update legacy / deprecated provider page and sort provider overview * reformat * move entra-id provider into switch (treat like every other provider * fix test case and reformat * fix sidebar configuration * apply review suggestions * add pagination for graph api * fix: do not error when groups unable to retrieve * doc: number of groups fix * restore master packages * docs: tiny docs tweak * address review comments * fix codegen --------- Co-authored-by: tuunit <jan@larwig.com>
2025-06-17 00:17:40 +02:00 · 2024-12-31 12:46:13 +01:00
parent c64ec1251b
commit 5f188e5b6b
14 changed files with 617 additions and 51 deletions
--- a/docs/docs/configuration/alpha_config.md
+++ b/docs/docs/configuration/alpha_config.md
@ -385,6 +385,16 @@ character.
 | `default` | _[]string_ |  _(Optional)_ Default specifies a default value or values that will be<br/>passed to the IdP if not overridden. |
 | `allow` | _[[]URLParameterRule](#urlparameterrule)_ |  _(Optional)_ Allow specifies rules about how the default (if any) may be<br/>overridden via the query string to `/oauth2/start`.  Only<br/>values that match one or more of the allow rules will be<br/>forwarded to the IdP. |
 ### MicrosoftEntraIDOptions
 (**Appears on:** [Provider](#provider))
 | Field | Type | Description |
 | ----- | ---- | ----------- |
 | `allowedTenants` | _[]string_ | AllowedTenants is a list of allowed tenants. In case of multi-tenant apps, incoming tokens are<br/>issued by different issuers and OIDC issuer verification needs to be disabled.<br/>When not specified, all tenants are allowed. Redundant for single-tenant apps<br/>(regular ID token validation matches the issuer). |
 ### OIDCOptions
 (**Appears on:** [Provider](#provider))
@ -418,6 +428,7 @@ Provider holds all configuration for a single provider
 | `clientSecretFile` | _string_ | ClientSecretFile is the name of the file<br/>containing the OAuth Client Secret, it will be used if ClientSecret is not set. |
 | `keycloakConfig` | _[KeycloakOptions](#keycloakoptions)_ | KeycloakConfig holds all configurations for Keycloak provider. |
 | `azureConfig` | _[AzureOptions](#azureoptions)_ | AzureConfig holds all configurations for Azure provider. |
 | `microsoftEntraIDConfig` | _[MicrosoftEntraIDOptions](#microsoftentraidoptions)_ | MicrosoftEntraIDConfig holds all configurations for Entra ID provider. |
 | `ADFSConfig` | _[ADFSOptions](#adfsoptions)_ | ADFSConfig holds all configurations for ADFS provider. |
 | `bitbucketConfig` | _[BitbucketOptions](#bitbucketoptions)_ | BitbucketConfig holds all configurations for Bitbucket provider. |
 | `githubConfig` | _[GitHubOptions](#githuboptions)_ | GitHubConfig holds all configurations for GitHubC provider. |
--- a/docs/docs/configuration/providers/azure_ad.md
+++ b/docs/docs/configuration/providers/azure_ad.md
@ -1,18 +0,0 @@
 ---
 id: azure_ad
 title: Microsoft Azure AD
 ---
 ## Config Options
 | Flag             | Toml Field     | Type   | Description                                                      | Default    |
 | ---------------- | -------------- | ------ | ---------------------------------------------------------------- | ---------- |
 | `--azure-tenant` | `azure_tenant` | string | go to a tenant-specific or common (tenant-independent) endpoint. | `"common"` |
 | `--resource`     | `resource`     | string | The resource that is protected (Azure AD only)                   |            |
 ## Usage
 For adding an application to the Microsoft Azure AD follow [these steps to add an application](https://docs.microsoft.com/en-us/azure/active-directory/develop/quickstart-register-app).
 Take note of your `TenantId` if applicable for your situation. The `TenantId` can be used to override the default 
 `common` authorization server with a tenant specific server.
--- a/docs/docs/configuration/providers/gitea.md
+++ b/docs/docs/configuration/providers/gitea.md
@ -3,6 +3,10 @@ id: gitea
 title: Gitea
 ---
 :::note
 This is not actually its own provider. For more details and options please refer to the [GitHub Provider Options](github.md)
 :::
 1. Create a new application: `https://< your gitea host >/user/settings/applications`
 2. Under `Redirect URI` enter the correct URL i.e. `https://<proxied host>/oauth2/callback`
 3. Note the Client ID and Client Secret.
--- a/docs/docs/configuration/providers/index.md
+++ b/docs/docs/configuration/providers/index.md
@ -8,21 +8,22 @@ with Redirect URI(s) for the domain you intend to run `oauth2-proxy` on.
 Valid providers are :
 - [Google](google.md) _default_
 - [Azure](azure.md)
 - [ADFS](adfs.md)
 - [Facebook](facebook.md)
 - [GitHub](github.md)
 - [Gitea](gitea.md)
 - [Keycloak](keycloak.md)/[Keycloak OIDC](keycloak_oidc.md)
 - [GitLab](gitlab.md)
 - [LinkedIn](linkedin.md)
 - [Microsoft Azure AD](azure_ad.md)
 - [OpenID Connect](openid_connect.md)
 - [login.gov](login_gov.md)
 - [Nextcloud](nextcloud.md)
 - [DigitalOcean](digitalocean.md)
 - [Bitbucket](bitbucket.md)
 - [DigitalOcean](digitalocean.md)
 - [Facebook](facebook.md)
 - [Gitea](gitea.md)
 - [GitHub](github.md)
 - [GitLab](gitlab.md)
 - [Google](google.md) _default_
 - [Keycloak](keycloak.md) (Deprecated)
 - [Keycloak OIDC](keycloak_oidc.md)
 - [LinkedIn](linkedin.md)
 - [login.gov](login_gov.md)
 - [Microsoft Azure](ms_azure_ad.md) (Deprecated)
 - [Microsoft Entra ID](ms_entra_id.md)
 - [Nextcloud](nextcloud.md)
 - [OpenID Connect](openid_connect.md)
 The provider can be selected using the `provider` configuration value.
--- a/docs/docs/configuration/providers/keycloak.md
+++ b/docs/docs/configuration/providers/keycloak.md
@ -1,10 +1,10 @@
 ---
 id: keycloak
-title: Keycloak
+title: Keycloak (Deprecated)
 ---
 :::note
-This is the legacy provider for Keycloak, use [Keycloak OIDC Auth Provider](keycloak_oidc.md) if possible.
+This is the legacy and deprecated provider for Keycloak, use [Keycloak OIDC Auth Provider](keycloak_oidc.md) if possible.
 :::
 1.  Create new client in your Keycloak realm with **Access Type** 'confidential' and **Valid Redirect URIs** 'https://internal.yourcompany.com/oauth2/callback'
--- a/docs/docs/configuration/providers/ms_azure_ad.md
+++ b/docs/docs/configuration/providers/ms_azure_ad.md
@ -1,8 +1,12 @@
 ---
 id: azure
-title: Azure
+title: Azure (Deprecated)
 ---
 :::note
 This is the legacy and deprecated provider for Azure, use [Microsoft Entra ID](ms_entra_id.md) if possible.
 :::
 ## Config Options
 | Flag             | Toml Field     | Type   | Description                                                      | Default    |
--- a/docs/docs/configuration/providers/ms_entra_id.md
+++ b/docs/docs/configuration/providers/ms_entra_id.md
@ -0,0 +1,158 @@
 ---
 id: ms_entra_id
 title: Microsoft Entra ID
 ---
 Provider for Microsoft Entra ID. Fully compliant with OIDC, with support for group overage and multi-tenant apps.
 ## Config Options
 The provider is OIDC-compliant, so all the OIDC parameters are honored. Additional provider-specific configuration parameters are:
 | Flag                        | Toml Field                 | Type           | Description                                                                                                                                                                                                                                                                               | Default |
 | --------------------------- | -------------------------- | -------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------- |
 | `--entra-id-allowed-tenant` | `entra_id_allowed_tenants` | string \| list | List of allowed tenants. In case of multi-tenant apps, incoming tokens are issued by different issuers and OIDC issuer verification needs to be disabled. When not specified, all tenants are allowed. Redundant for single-tenant apps (regular ID token validation matches the issuer). |         |
 ## Configure App registration
 To begin, create an App registration, set a redirect URI, and generate a secret. All account types are supported, including single-tenant, multi-tenant, multi-tenant with Microsoft accounts, and Microsoft accounts only.
 <details>
    <summary>See Azure Portal example</summary>
    <div class="videoBlock">
        <iframe src="https://www.youtube.com/embed/IUNfxhOzr4E"></iframe>
    </div>
 </details>
 <details>
    <summary>See Terraform example</summary>
 ```
    resource "azuread_application" "auth" {
        display_name     = "oauth2-proxy"
        sign_in_audience = "AzureADMyOrg" # Others are also supported
        web {
            redirect_uris = [
                "https://podinfo.lakis.tech/oauth2/callback",
            ]
        }
        // We don't specify any required API permissions - we allow user consent only
    }
    resource "azuread_service_principal" "sp" {
        client_id                    = azuread_application.auth.client_id
        app_role_assignment_required = false
    }
    resource "azuread_service_principal_password" "pass" {
        service_principal_id = azuread_service_principal.sp.id
    }
 ```
 </details>
 ### Configure groups
 If you want to make use of groups, you can configure *groups claim* to be present in ID Tokens issued by the App registration.
 <details>
    <summary>See Azure Portal example</summary>
    <div class="videoBlock">
        <div class="videoBlock">
            <iframe src="https://www.youtube.com/embed/QZmP5MKEJis"></iframe>
        </div>
    </div>
 </details>
 <details>
    <summary>See Terraform example</summary>
 ```
    resource "azuread_application" "auth" {
        display_name     = "oauth2-proxy"
        sign_in_audience = "AzureADMyOrg"
        group_membership_claims = [
            "SecurityGroup"
        ]
        web {
            redirect_uris = [
                "https://podinfo.lakis.tech/oauth2/callback",
            ]
        }
    }
    resource "azuread_service_principal" "sp" {
        client_id                    = azuread_application.auth.client_id
        app_role_assignment_required = false
    }
    resource "azuread_service_principal_password" "pass" {
        service_principal_id = azuread_service_principal.sp.id
    }
 ```
 </details>
 ### Scopes and claims
 For single-tenant and multi-tenant apps without groups, the only required scope is `openid` (See: [Scopes and permissions](https://learn.microsoft.com/en-us/entra/identity-platform/scopes-oidc#the-openid-scope)).
 To make use of groups - for example use `allowed_groups` setting or authorize based on groups inside your service - you need to enable *groups claims* in the App Registration. When enabled, list of groups is present in the issued ID token. No additional scopes are required besides `openid`. This works up to 200 groups.
 When user has more than 200 group memberships, OAuth2-Proxy attempts to retrieve the complete list from Microsoft Graph API's [`transitiveMemberOf`](https://learn.microsoft.com/en-us/graph/api/user-list-transitivememberof). Endpoint requires `User.Read` scope (delegated permission). This permission can be by default consented by user during first login. Set scope to `openid User.Read` to request user consent. Without proper scope, user with 200+ groups will authenticate with 0 groups. See: [group overages](https://learn.microsoft.com/en-us/security/zero-trust/develop/configure-tokens-group-claims-app-roles#group-overages).
 Alternatively to user consent, both `openid` and `User.Read` permissions can be consented by admistrator. Then, user is not asked for consent on the first login, and group overage works with `openid` scope only. Admin consent can also be required for some tenants. It can be granted with [azuread_service_principal_delegated_permission_grant](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/resources/service_principal_delegated_permission_grant) terraform resource.
 For personal microsoft accounts, required scope is `openid profile email`.
 See: [Overview of permissions and consent in the Microsoft identity platform](https://learn.microsoft.com/en-us/entra/identity-platform/permissions-consent-overview).
 ### Multi-tenant apps
 To authenticate apps from multiple tenants (including personal Microsoft accounts), set the common OIDC issuer url and disable verification:
 ```toml
 oidc_issuer_url=https://login.microsoftonline.com/common/v2.0
 insecure_oidc_skip_issuer_verification=true
 ```
 `insecure_oidc_skip_issuer_verification` setting is required to disable following checks:
 * Startup check for matching issuer URL returned from [discovery document](https://login.microsoftonline.com/common/v2.0/.well-known/openid-configuration) with `oidc_issuer_url` setting. Required, as document's `issuer` field doesn't equal to `https://login.microsoftonline.com/common/v2.0`. See [OIDC Discovery 4.3](https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderConfigurationValidation).
 * Matching ID token's `issuer` claim with `oidc_issuer_url` setting during ID token validation. Required to support tokens issued by diffrerent tenants. See [OIDC Core 3.1.3.7](https://openid.net/specs/openid-connect-core-1_0.html#IDTokenValidation). 
 To provide additional security, Entra ID provider performs check on the ID token's `issuer` claim to match the `https://login.microsoftonline.com/{tenant-id}/v2.0` template.
 ### Example configurations
 Single-tenant app without groups (*groups claim* not enabled). Consider using generic OIDC provider:
 ```toml
 provider="entra-id"
 oidc_issuer_url="https://login.microsoftonline.com/<tenant-id>/v2.0"
 client_id="<client-id>"
 client_secret="<client-secret>"
 scope="openid"
 ```
 Single-tenant app with up to 200 groups (*groups claim* enabled). Consider using generic OIDC provider:
 ```toml
 provider="entra-id"
 oidc_issuer_url="https://login.microsoftonline.com/<tenant-id>/v2.0"
 client_id="<client-id>"
 client_secret="<client-secret>"
 scope="openid"
 allowed_groups=["ac51800c-2679-4ecb-8130-636380a3b491"]
 ```
 Single-tenant app with more than 200 groups:
 ```toml
 provider="entra-id"
 oidc_issuer_url="https://login.microsoftonline.com/<tenant-id>/v2.0"
 client_id="<client-id>"
 client_secret="<client-secret>"
 scope="openid User.Read"
 allowed_groups=["968b4844-d5e7-4e18-a834-59927959369f"]
 ```
 Multi-tenant app with Microsoft personal accounts & one Entra tenant allowed, with group overage considered:
 ```toml
 provider="entra-id"
 oidc_issuer_url="https://login.microsoftonline.com/common/v2.0"
 client_id="<client-id>"
 client_secret="<client-secret>"
 insecure_oidc_skip_issuer_verification=true
 scope="openid profile email User.Read"
 entra_id_allowed_tenant=["9188040d-6c67-4c5b-b112-36a304b66dad","<my-tenant-id>"] # Allow only <my-tenant-id> and Personal MS Accounts tenant 
 email_domains="*"
 ```
--- a/docs/sidebars.js
+++ b/docs/sidebars.js
@ -31,22 +31,22 @@ const sidebars = {
            id: 'configuration/providers/index',
          },
          items: [
-            'configuration/providers/google',
+            "configuration/providers/adfs",
-            'configuration/providers/azure',
+            "configuration/providers/azure",
-            'configuration/providers/adfs',
+            "configuration/providers/bitbucket",
-            'configuration/providers/facebook',
+            "configuration/providers/digitalocean",
-            'configuration/providers/github',
+            "configuration/providers/facebook",
-            'configuration/providers/gitea',
+            "configuration/providers/gitea",
-            'configuration/providers/keycloak',
+            "configuration/providers/github",
-            'configuration/providers/keycloak_oidc',
+            "configuration/providers/gitlab",
-            'configuration/providers/gitlab',
+            "configuration/providers/google",
-            'configuration/providers/linkedin',
+            "configuration/providers/keycloak",
-            'configuration/providers/azure_ad',
+            "configuration/providers/keycloak_oidc",
-            'configuration/providers/openid_connect',
+            "configuration/providers/linkedin",
-            'configuration/providers/login_gov',
+            "configuration/providers/login_gov",
-            'configuration/providers/nextcloud',
+            "configuration/providers/ms_entra_id",
-            'configuration/providers/digitalocean',
+            "configuration/providers/nextcloud",
-            'configuration/providers/bitbucket',
+            "configuration/providers/openid_connect",
          ],
        },
        'configuration/session_storage',
--- a/docs/src/css/custom.css
+++ b/docs/src/css/custom.css
@ -23,3 +23,17 @@
  margin: 0 calc(-1 * var(--ifm-pre-padding));
  padding: 0 var(--ifm-pre-padding);
 }
 .videoBlock {
  position: relative;
  padding-bottom: 75%;
  height: 0;
 }
 .videoBlock iframe {
  position: absolute;
  top: 0;
  left: 0;
  width: 100%;
  height: 100%;
 }
--- a/pkg/apis/options/legacy_options.go
+++ b/pkg/apis/options/legacy_options.go
@ -488,6 +488,7 @@ type LegacyProvider struct {
 	KeycloakGroups                         []string `flag:"keycloak-group" cfg:"keycloak_groups"`
 	AzureTenant                            string   `flag:"azure-tenant" cfg:"azure_tenant"`
 	AzureGraphGroupField                   string   `flag:"azure-graph-group-field" cfg:"azure_graph_group_field"`
 	EntraIDAllowedTenants                  []string `flag:"entra-id-allowed-tenant" cfg:"entra_id_allowed_tenants"`
 	BitbucketTeam                          string   `flag:"bitbucket-team" cfg:"bitbucket_team"`
 	BitbucketRepository                    string   `flag:"bitbucket-repository" cfg:"bitbucket_repository"`
 	GitHubOrg                              string   `flag:"github-org" cfg:"github_org"`
@ -550,6 +551,7 @@ func legacyProviderFlagSet() *pflag.FlagSet {
 	flagSet.StringSlice("keycloak-group", []string{}, "restrict logins to members of these groups (may be given multiple times)")
 	flagSet.String("azure-tenant", "common", "go to a tenant-specific or common (tenant-independent) endpoint.")
 	flagSet.String("azure-graph-group-field", "", "configures the group field to be used when building the groups list(`id` or `displayName`. Default is `id`) from Microsoft Graph(available only for v2.0 oidc url). Based on this value, the `allowed-group` config values should be adjusted accordingly. If using `id` as group field, `allowed-group` should contains groups IDs, if using `displayName` as group field, `allowed-group` should contains groups name")
 	flagSet.StringSlice("entra-id-allowed-tenant", []string{}, "list of tenants allowed for MS Entra ID multi-tenant application")
 	flagSet.String("bitbucket-team", "", "restrict logins to members of this team")
 	flagSet.String("bitbucket-repository", "", "restrict logins to user with access to this repository")
 	flagSet.String("github-org", "", "restrict logins to members of this organisation")
@ -756,6 +758,10 @@ func (l *LegacyProvider) convert() (Providers, error) {
 			UseApplicationDefaultCredentials: l.GoogleUseApplicationDefaultCredentials,
 			TargetPrincipal:                  l.GoogleTargetPrincipal,
 		}
 	case "entra-id":
 		provider.MicrosoftEntraIDConfig = MicrosoftEntraIDOptions{
 			AllowedTenants: l.EntraIDAllowedTenants,
 		}
 	}
 	if l.ProviderName != "" {
--- a/pkg/apis/options/providers.go
+++ b/pkg/apis/options/providers.go
@ -30,6 +30,8 @@ type Provider struct {
 	KeycloakConfig KeycloakOptions `json:"keycloakConfig,omitempty"`
 	// AzureConfig holds all configurations for Azure provider.
 	AzureConfig AzureOptions `json:"azureConfig,omitempty"`
 	// MicrosoftEntraIDConfig holds all configurations for Entra ID provider.
 	MicrosoftEntraIDConfig MicrosoftEntraIDOptions `json:"microsoftEntraIDConfig,omitempty"`
 	// ADFSConfig holds all configurations for ADFS provider.
 	ADFSConfig ADFSOptions `json:"ADFSConfig,omitempty"`
 	// BitbucketConfig holds all configurations for Bitbucket provider.
@ -101,6 +103,9 @@ const (
 	// AzureProvider is the provider type for Azure
 	AzureProvider ProviderType = "azure"
 	// MicrosoftEntraIDProvider is the provider type for Entra OIDC
 	MicrosoftEntraIDProvider ProviderType = "entra-id"
 	// BitbucketProvider is the provider type for Bitbucket
 	BitbucketProvider ProviderType = "bitbucket"
@ -155,6 +160,14 @@ type AzureOptions struct {
 	GraphGroupField string `json:"graphGroupField,omitempty"`
 }
 type MicrosoftEntraIDOptions struct {
 	// AllowedTenants is a list of allowed tenants. In case of multi-tenant apps, incoming tokens are
 	// issued by different issuers and OIDC issuer verification needs to be disabled.
 	// When not specified, all tenants are allowed. Redundant for single-tenant apps
 	// (regular ID token validation matches the issuer).
 	AllowedTenants []string `json:"allowedTenants,omitempty"`
 }
 type ADFSOptions struct {
 	// Skip adding the scope parameter in login request
 	// Default value is 'false'
--- a/providers/ms_entra_id.go
+++ b/providers/ms_entra_id.go
@ -0,0 +1,186 @@
 package providers
 import (
 	"context"
 	"fmt"
 	"net/url"
 	"regexp"
 	"github.com/oauth2-proxy/oauth2-proxy/v7/pkg/apis/options"
 	"github.com/oauth2-proxy/oauth2-proxy/v7/pkg/apis/sessions"
 	"github.com/oauth2-proxy/oauth2-proxy/v7/pkg/logger"
 	"github.com/oauth2-proxy/oauth2-proxy/v7/pkg/requests"
 	"github.com/oauth2-proxy/oauth2-proxy/v7/pkg/util"
 	"github.com/spf13/cast"
 )
 // MicrosoftEntraIDProvider represents provider for Azure Entra Authentication V2 endpoint
 type MicrosoftEntraIDProvider struct {
 	*OIDCProvider
 	multiTenantAllowedTenants []string
 	microsoftGraphURL *url.URL
 }
 const (
 	microsoftEntraIDProviderName = "Microsoft Entra ID"
 )
 var (
 	microsoftGraphURL = &url.URL{
 		Scheme: "https",
 		Host:   "graph.microsoft.com",
 		Path:   "/v1.0/me",
 	}
 )
 // NewMicrosoftEntraIDProvider initiates a new MicrosoftEntraIDProvider
 func NewMicrosoftEntraIDProvider(p *ProviderData, opts options.Provider) *MicrosoftEntraIDProvider {
 	p.setProviderDefaults(providerDefaults{
 		name: microsoftEntraIDProviderName,
 	})
 	return &MicrosoftEntraIDProvider{
 		OIDCProvider: NewOIDCProvider(p, opts.OIDCConfig),
 		multiTenantAllowedTenants: opts.MicrosoftEntraIDConfig.AllowedTenants,
 		microsoftGraphURL:         microsoftGraphURL,
 	}
 }
 // EnrichSession checks for group overage after calling generic EnrichSession
 func (p *MicrosoftEntraIDProvider) EnrichSession(ctx context.Context, session *sessions.SessionState) error {
 	if err := p.OIDCProvider.EnrichSession(ctx, session); err != nil {
 		return fmt.Errorf("unable to enrich session: %v", err)
 	}
 	hasGroupOverage, err := p.checkGroupOverage(session)
 	if err != nil {
 		return fmt.Errorf("unable to check token: %v", err)
 	}
 	if hasGroupOverage {
 		logger.Printf("entra overage found, reading groups from Graph API")
 		if err = p.addGraphGroupsToSession(ctx, session); err != nil {
 			return fmt.Errorf("unable to enrich session: %v", err)
 		}
 	}
 	return nil
 }
 // ValidateSession checks for allowed tenants (e.g. for multi-tenant apps) and passes through to generic ValidateSession
 func (p *MicrosoftEntraIDProvider) ValidateSession(ctx context.Context, session *sessions.SessionState) bool {
 	tenant, err := p.getTenantFromToken(session)
 	if err != nil {
 		logger.Errorf("unable to retrieve entra tenant from token: %v", err)
 		return false
 	}
 	if len(p.multiTenantAllowedTenants) > 0 {
 		tenantAllowed := p.checkTenantMatchesTenantList(tenant, p.multiTenantAllowedTenants)
 		if !tenantAllowed {
 			logger.Printf("entra: tenant %s is not specified in the list of allowed tenants", tenant)
 			return false
 		}
 		logger.Printf("entra: tenant %s is allowed", tenant)
 	}
 	return p.OIDCProvider.ValidateSession(ctx, session)
 }
 // checkGroupOverage checks ID token's group membership claims for the group overage
 func (p *MicrosoftEntraIDProvider) checkGroupOverage(session *sessions.SessionState) (bool, error) {
 	extractor, err := p.getClaimExtractor(session.IDToken, session.AccessToken)
 	if err != nil {
 		return false, fmt.Errorf("unable to get claim extractor: %v", err)
 	}
 	claimNames, _, _ := extractor.GetClaim("_claim_names")
 	var claimNamesMap map[string]string
 	if claimNames != nil {
 		claimNamesMap = cast.ToStringMapString(claimNames)
 	}
 	if _, groupsKeyPresent := claimNamesMap["groups"]; groupsKeyPresent {
 		return true, nil
 	}
 	return false, nil
 }
 func (p *MicrosoftEntraIDProvider) addGraphGroupsToSession(ctx context.Context, s *sessions.SessionState) error {
 	groupsHeaders := makeAuthorizationHeader(tokenTypeBearer, s.AccessToken, nil)
 	groupsHeaders.Add("ConsistencyLevel", "eventual")
 	var allGroups []string
 	var nextLink string
 	for {
 		if nextLink == "" {
 			nextLink = fmt.Sprintf("%s/transitiveMemberOf?$select=id&$top=100", p.microsoftGraphURL)
 		}
 		response, err := requests.New(nextLink).
 			WithContext(ctx).
 			WithHeaders(groupsHeaders).
 			Do().
 			UnmarshalSimpleJSON()
 		if err != nil {
 			logger.Errorf("invalid response from microsoft graph, no groups added to session: %v", err)
 			return nil
 		}
 		reqGroups := response.Get("value").MustArray()
 		for i := range reqGroups {
 			value := response.Get("value").GetIndex(i).Get("id").MustString()
 			allGroups = append(allGroups, value)
 		}
 		// https://learn.microsoft.com/en-us/graph/paging?view=graph-rest-1.0&tabs=http#how-paging-works
 		nextLink = response.Get("@odata.nextLink").MustString()
 		if nextLink == "" {
 			break
 		}
 	}
 	s.Groups = util.RemoveDuplicateStr(append(s.Groups, allGroups...))
 	return nil
 }
 func (p *MicrosoftEntraIDProvider) getTenantFromToken(session *sessions.SessionState) (string, error) {
 	extractor, err := p.getClaimExtractor(session.IDToken, session.AccessToken)
 	if err != nil {
 		return "", fmt.Errorf("unable to get claim extractor: %v", err)
 	}
 	value, exists, err := extractor.GetClaim("iss")
 	if !exists || err != nil {
 		return "", fmt.Errorf("iss claim does not exist in the token")
 	}
 	pattern := `^https://login\.microsoftonline\.com/([a-zA-Z0-9-]+)/v2\.0$`
 	re := regexp.MustCompile(pattern)
 	matches := re.FindStringSubmatch(value.(string))
 	if len(matches) > 1 {
 		return matches[1], nil
 	}
 	return "", fmt.Errorf("invalid issuer in the ID token")
 }
 func (p *MicrosoftEntraIDProvider) checkTenantMatchesTenantList(tenant string, allowedTenantList []string) bool {
 	for _, allowedTenant := range allowedTenantList {
 		if tenant == allowedTenant {
 			return true
 		}
 	}
 	return false
 }
--- a/providers/ms_entra_id_test.go
+++ b/providers/ms_entra_id_test.go
@ -0,0 +1,185 @@
 package providers
 import (
 	"context"
 	"crypto/rand"
 	"crypto/rsa"
 	"fmt"
 	"net/http"
 	"net/http/httptest"
 	"net/url"
 	"testing"
 	"github.com/coreos/go-oidc/v3/oidc"
 	"github.com/golang-jwt/jwt/v5"
 	"github.com/oauth2-proxy/oauth2-proxy/v7/pkg/apis/options"
 	"github.com/stretchr/testify/assert"
 	. "github.com/onsi/gomega"
 )
 func TestAzureEntraOIDCProviderNewMultiTenant(t *testing.T) {
 	g := NewWithT(t)
 	provider := NewMicrosoftEntraIDProvider(&ProviderData{},
 		options.Provider{OIDCConfig: options.OIDCOptions{
 			IssuerURL:                      "https://login.microsoftonline.com/common/v2.0",
 			InsecureSkipIssuerVerification: true,
 		}},
 	)
 	g.Expect(provider.Data().ProviderName).To(Equal("Microsoft Entra ID"))
 }
 func TestAzureEntraOIDCProviderNewSingleTenant(t *testing.T) {
 	g := NewWithT(t)
 	provider := NewMicrosoftEntraIDProvider(&ProviderData{},
 		options.Provider{OIDCConfig: options.OIDCOptions{
 			IssuerURL: "https://login.microsoftonline.com/18014347-dd57-41a1-8191-7a1f734ea457/v2.0",
 		}},
 	)
 	g.Expect(provider.Data().ProviderName).To(Equal("Microsoft Entra ID"))
 }
 func TestAzureEntraOIDCProviderEnrichSessionGroupOverage(t *testing.T) {
 	// Create ID Token that indicates group overage with _claim_names
 	key, _ := rsa.GenerateKey(rand.Reader, 2048)
 	claimsWithGroupOverage := &claimsWithGroupOverage{
 		jwt.RegisteredClaims{
 			Issuer: "https://login.microsoftonline.com/18014347-dd57-41a1-8191-7a1f734ea457/v2.0",
 		},
 		map[string]string{"groups": "src1"},
 	}
 	jwtWithClaims := jwt.NewWithClaims(jwt.SigningMethodRS256, claimsWithGroupOverage)
 	signedJWT, err := jwtWithClaims.SignedString(key)
 	assert.NoError(t, err)
 	session := CreateAuthorizedSession()
 	session.IDToken = signedJWT
 	session.Email = "mock@example.com"
 	// Create provider
 	provider := NewMicrosoftEntraIDProvider(&ProviderData{},
 		options.Provider{OIDCConfig: options.OIDCOptions{
 			IssuerURL: "https://login.microsoftonline.com/18014347-dd57-41a1-8191-7a1f734ea457/v2.0",
 		}},
 	)
 	// Create mocked Azure Graph server and override Graph URL
 	mockedGraph := mockGraphAPI(false)
 	mockedGraphURL, _ := url.Parse(mockedGraph.URL)
 	updateURL(provider.microsoftGraphURL, mockedGraphURL.Host)
 	// Test EnrichSession
 	err = provider.EnrichSession(context.Background(), session)
 	assert.NoError(t, err)
 	assert.Contains(t, session.Groups, "85d7d600-7804-4d92-8d43-9c33c21c130c")
 	assert.Contains(t, session.Groups, "916f0604-8a3b-4a69-bda9-06db11a8f0cd")
 	assert.Contains(t, session.Groups, "b1aef995-6b55-4ac6-bbfe-e829810e9352", "Pagination using $skiptoken failed")
 }
 func TestAzureEntraOIDCProviderValidateSessionAllowedTenants(t *testing.T) {
 	// Create multi-tenant Azure Entra provider with allowed tenants
 	provider := NewMicrosoftEntraIDProvider(
 		&ProviderData{
 			Verifier: &mockedVerifier{},
 		},
 		options.Provider{
 			OIDCConfig: options.OIDCOptions{
 				IssuerURL:                      "https://login.microsoftonline.com/common/v2.0",
 				InsecureSkipIssuerVerification: true,
 				InsecureSkipNonce:              true,
 			},
 			MicrosoftEntraIDConfig: options.MicrosoftEntraIDOptions{
 				AllowedTenants: []string{"85d7d600-7804-4d92-8d43-9c33c21c130c"},
 			},
 		},
 	)
 	// Check for invalid tenant
 	key, _ := rsa.GenerateKey(rand.Reader, 2048)
 	idToken := jwt.NewWithClaims(jwt.SigningMethodRS256, jwt.RegisteredClaims{
 		Issuer: "https://login.microsoftonline.com/invalid_tenant/v2.0",
 	})
 	invalidJWT, err := idToken.SignedString(key)
 	assert.NoError(t, err)
 	session := CreateAuthorizedSession()
 	session.IDToken = invalidJWT
 	valid := provider.ValidateSession(context.Background(), session)
 	assert.False(t, valid)
 	// Check for valid tenant
 	idToken = jwt.NewWithClaims(jwt.SigningMethodRS256, jwt.RegisteredClaims{
 		Issuer: "https://login.microsoftonline.com/85d7d600-7804-4d92-8d43-9c33c21c130c/v2.0",
 	})
 	validJWT, err := idToken.SignedString(key)
 	assert.NoError(t, err)
 	session = CreateAuthorizedSession()
 	session.IDToken = validJWT
 	valid = provider.ValidateSession(context.Background(), session)
 	assert.True(t, valid)
 }
 func mockGraphAPI(noGroupMemberPermissions bool) *httptest.Server {
 	groupsPath := "/v1.0/me/transitiveMemberOf"
 	return httptest.NewServer(http.HandlerFunc(
 		func(w http.ResponseWriter, r *http.Request) {
 			if noGroupMemberPermissions {
 				w.WriteHeader(401)
 			} else if r.URL.Path == groupsPath && r.Method == http.MethodGet && len(r.URL.Query()["$skiptoken"]) > 0 {
 				// Second page (pagination)
 				w.Write([]byte(`{
 					"@odata.context": "https://graph.microsoft.com/v1.0/$metadata#directoryObjects(id)",
 					"value": [
 						{
 							"@odata.type": "#microsoft.graph.group",
 							"id": "b1aef995-6b55-4ac6-bbfe-e829810e9352"
 						}
 					]
 				}`))
 			} else if r.URL.Path == groupsPath && r.Method == http.MethodGet {
 				// First page (pagination)
 				w.Write([]byte(fmt.Sprintf(`{
 					"@odata.context": "https://graph.microsoft.com/v1.0/$metadata#directoryObjects(id)",
 					"@odata.nextLink": "http://%s/v1.0/me/transitiveMemberOf?$select=id&$top=2&$skiptoken=TEST_TOKEN",
 					"value": [
 						{
 							"@odata.type": "#microsoft.graph.group",
 							"id": "85d7d600-7804-4d92-8d43-9c33c21c130c"
 						  },
 						  {
 							"@odata.type": "#microsoft.graph.group",
 							"id": "916f0604-8a3b-4a69-bda9-06db11a8f0cd"
 						  }
 					]
 				}`, r.Host)))
 			}
 		},
 	))
 }
 type claimsWithGroupOverage struct {
 	jwt.RegisteredClaims
 	ClaimNames interface{} `json:"_claim_names,omitempty"`
 }
 func (c *claimsWithGroupOverage) Valid() error {
 	return nil
 }
 type mockedVerifier struct {
 }
 func (v *mockedVerifier) Verify(ctx context.Context, rawIDToken string) (*oidc.IDToken, error) {
 	return nil, nil
 }
--- a/providers/providers.go
+++ b/providers/providers.go
@ -41,6 +41,8 @@ func NewProvider(providerConfig options.Provider) (Provider, error) {
 		return NewADFSProvider(providerData, providerConfig), nil
 	case options.AzureProvider:
 		return NewAzureProvider(providerData, providerConfig.AzureConfig), nil
 	case options.MicrosoftEntraIDProvider:
 		return NewMicrosoftEntraIDProvider(providerData, providerConfig), nil
 	case options.BitbucketProvider:
 		return NewBitbucketProvider(providerData, providerConfig.BitbucketConfig), nil
 	case options.DigitalOceanProvider:
@ -181,7 +183,7 @@ func providerRequiresOIDCProviderVerifier(providerType options.ProviderType) (bo
 	case options.BitbucketProvider, options.DigitalOceanProvider, options.FacebookProvider, options.GitHubProvider,
 		options.GoogleProvider, options.KeycloakProvider, options.LinkedInProvider, options.LoginGovProvider, options.NextCloudProvider:
 		return false, nil
-	case options.ADFSProvider, options.AzureProvider, options.GitLabProvider, options.KeycloakOIDCProvider, options.OIDCProvider:
+	case options.ADFSProvider, options.AzureProvider, options.GitLabProvider, options.KeycloakOIDCProvider, options.OIDCProvider, options.MicrosoftEntraIDProvider:
 		return true, nil
 	default:
 		return false, fmt.Errorf("unknown provider type: %s", providerType)