What Keycloak version do you use?

We deploy Keycloak 26.x (latest stable) for all new projects. For existing deployments, we offer migration paths from Keycloak 18+ (including the legacy WildFly-based versions) to the modern Quarkus-based distribution.

How long does a typical project take?

Simple implementations (passkeys, theming) take 5-10 business days. Multi-tenancy and HA clusters typically take 2-3 weeks. Full CIAM overhauls run 4-6 weeks. We provide exact timelines in our fixed-price proposals.

Can you migrate us from Okta, Auth0, or Firebase Auth?

Yes. We have battle-tested migration playbooks for Okta, Auth0, Firebase Auth, AWS Cognito, and Azure AD B2C. We handle user migration, session continuity, and social login re-linking with zero downtime.

What does 'fixed price' mean? Are there hidden costs?

Our quotes are all-inclusive. The price covers discovery, architecture, implementation, testing, deployment, documentation, and 30-day warranty support. Infrastructure costs (cloud hosting) are separate and transparently estimated upfront.

Do you offer ongoing managed services?

Yes. Our Managed Keycloak-as-a-Service starts at $1,800/month and includes 24/7 monitoring, patching, scaling, security updates, and incident response. Think of it as your dedicated Keycloak ops team without the hiring overhead.

Is Keycloak really enterprise-ready?

Absolutely. Keycloak is backed by Red Hat (IBM), powers thousands of enterprise deployments globally, and is the upstream for Red Hat SSO. It supports SAML 2.0, OIDC, LDAP/AD federation, and every enterprise SSO protocol you need.

What about vendor lock-in?

Zero. Keycloak is 100% open source (Apache 2.0). You own your deployment, your data, and your configuration. Everything we build is yours — full source code, Terraform configs, and documentation included in every project.

Do you work with our existing DevOps team?

Yes. We integrate seamlessly with your existing CI/CD pipelines, cloud infrastructure, and DevOps workflows. We provide Terraform/OpenTofu IaC, Helm charts, and comprehensive runbooks so your team can maintain the deployment independently.

Keycloak Microsoft Entra ID Identity Provider Setup

Introduction

Configuring Microsoft Entra ID as an identity provider in Keycloak lets users sign in with their Microsoft work or school account (or personal Microsoft account, depending on your app registration). Keycloak has a built-in Microsoft provider type that pre-fills the correct OAuth 2.0 endpoints.

This guide covers both single-tenant setups (your Entra ID tenant only) and multi-tenant setups (any Microsoft account or any organizational account). Keycloak 24+ and a Microsoft Entra ID (formerly Azure Active Directory) tenant are required.

How identity brokering works

The login flow goes: user clicks "Sign in with Microsoft" → Keycloak redirects to Entra ID → user authenticates → Entra ID sends an authorization code to Keycloak's broker endpoint → Keycloak exchanges it for tokens → Keycloak creates or links the user → user lands in your application.

The redirect URI you register in Azure is:

https://keycloak.example.com/realms/YOUR_REALM/broker/Microsoft/endpoint

The alias Microsoft is the default for the built-in Microsoft provider. If you use the generic OIDC provider instead, the alias is whatever you choose.

Prerequisites

Keycloak 24+ running on HTTPS
A Keycloak realm with admin access
An Azure account with permission to create app registrations in a Microsoft Entra ID tenant

Step 1 — Register an application in Azure Portal

Go to the Azure Portal at portal.azure.com:

Microsoft Entra ID → App registrations → New registration
Name: keycloakPro
Supported account types — choose based on your use case:
- Accounts in this organizational directory only — single tenant, your users only
- Accounts in any organizational directory — multi-tenant, users from any Microsoft organization
- Accounts in any organizational directory and personal Microsoft accounts — broadest access
Redirect URI: Web → https://keycloak.example.com/realms/YOUR_REALM/broker/Microsoft/endpoint
Click Register

Azure Portal New app registration page showing the Name field set to keycloak, Supported account types with three radio button options, and Redirect URI set to the Keycloak broker endpoint URL — The account type determines which users can authenticate — single tenant is the right choice for internal employee login

After registration, note the Application (client) ID and Directory (tenant) ID on the app's Overview page. You'll need both.

Azure Portal app registration Overview page showing the Application client ID and Directory tenant ID values — Copy both IDs now — the client ID goes into Keycloak, and the tenant ID identifies your specific Entra ID directory for single-tenant setups

Step 2 — Create a client secret

Certificates & secrets → New client secret
Description: keycloakPro
Expires: choose 12 or 24 months (calendar this for rotation)
Click Add
Copy the Value immediately — Azure hides it after you leave the page

Azure Portal Certificates and secrets page showing a newly created client secret with the Value field highlighted and a warning that the value cannot be viewed after leaving this page — Copy the Value column, not the Secret ID — the Value is the actual secret string you paste into Keycloak

Step 3 — Configure the Identity Provider in Keycloak

In the Keycloak admin console:

Select your realm
Identity Providers → Add provider → Microsoft
Client ID: paste the Application (client) ID from Step 1
Client Secret: paste the client secret Value from Step 2
Default Scopes: openid profile email (Keycloak pre-fills this)

Click Add.

Keycloak admin console Identity Providers page showing the Microsoft provider configuration with Client ID and Client Secret fields filled in — The built-in Microsoft provider uses the common tenant endpoint by default — it accepts any Microsoft account type based on your app registration's account type setting

3.1 — Single-tenant restriction (optional)

If you registered a single-tenant app, the built-in Microsoft provider still uses the common endpoint by default. Any user with a valid Microsoft account can attempt login, but Entra ID will reject users outside your tenant during the token exchange.

For a stricter setup using only your tenant's endpoint, use the generic OpenID Connect v1.0 provider instead:

Identity Providers → Add provider → OpenID Connect v1.0
Alias: microsoft
Client ID: Application (client) ID
Client Secret: client secret Value
Default Scopes: openid profile email

This approach locks authentication to your specific Entra ID tenant.

Keycloak admin console showing the OpenID Connect v1.0 provider form configured for a tenant-specific Microsoft Entra ID setup — Configure the OpenID Connect v1.0 provider to prevent users from other organizations from being redirected to your Keycloak

Step 4 — Configure attribute mappers

Microsoft's OIDC token includes these claims by default:

Entra ID claim	Description
`oid`	Unique object ID for the user (stable across sign-ins)
`preferred_username`	UPN or email (e.g., `[email protected]`)
`name`	Display name
`email`	Email — only if configured as an optional claim

The email claim is not included by default in Entra ID tokens. Add it:

Azure Portal → App registrations → your app → Token configuration
Add optional claim → Token type: ID → Claim: email
Click Add

Azure Portal Token configuration page showing the Add optional claim dialog with ID token type selected and email claim checked — The email claim is optional in Entra ID — add it explicitly or use preferred_username as the email mapper source instead

In Keycloak, add attribute mappers for the built-in Microsoft provider:

Identity Providers → Microsoft → Mappers → Add mapper

Email mapper:

Mapper type: Attribute Importer
Name: email
Claim: email (or preferred_username if you didn't add the optional claim)
User Attribute Name: email

First name mapper:

Mapper type: Attribute Importer
Name: firstName
Claim: given_name
User Attribute Name: firstName

Last name mapper:

Mapper type: Attribute Importer
Name: lastName
Claim: family_name
User Attribute Name: lastName

Note: given_name and family_name are only present if the user's Entra ID profile has them set. name (display name) is always present.

Keycloak Identity Provider Mappers list showing email, firstName, and lastName attribute importer mappers for the Microsoft provider — If given_name is blank for some users, fall back to using name with a custom mapper that splits on the first space — or accept that some accounts won't have separated first/last names

In Identity Providers → Microsoft → Settings → First Login Flow, the default first broker login flow:

Prompts users to review their profile on first login
Detects existing Keycloak accounts with matching email and offers linking
Creates a new Keycloak user if no match exists

For internal employee apps where everyone already has a Keycloak account, you may want to skip the profile review and auto-link accounts. That requires a custom first login flow — beyond the scope of this guide. For most setups, the default is correct.

Keycloak Microsoft Identity Provider Settings showing First Login Flow set to first broker login and Sync Mode dropdown — Set Sync Mode to force if Entra ID should be the source of truth for user attributes — useful for employee directories

If your Entra ID tenant requires admin consent for the requested permissions, individual users cannot consent for themselves during login. Until an admin pre-consents on behalf of the tenant, authentication fails — Keycloak shows a generic "An error occurred while authenticating with identity provider" error. Grant admin consent once, before users start logging in.

Azure Portal → App registrations → your app → API permissions
Review the listed permissions. The default User.Read (Microsoft Graph, delegated) covers the openid profile email scopes Keycloak requests.
Click Grant admin consent for <your tenant> at the top of the permissions list.
Confirm in the dialog. The Status column should turn to a green Granted for <your tenant> check for each permission.

Azure Portal API permissions page showing the Grant admin consent for tenant button and the Status column with green Granted check marks for the User.Read delegated permission — Grant admin consent once at the tenant level — without it, users see a consent prompt they cannot complete and login fails

The first time a user signs in, Microsoft may show a consent screen confirming the application's requested permissions before redirecting back to Keycloak.

Once admin consent is granted, this screen is handled at the tenant level and users are no longer prompted to consent individually

Open a private browser window and go to your Keycloak realm login page. A Microsoft button appears.

Keycloak login page showing a Sign in with Microsoft button below the standard login form — Microsoft's login button displays the Microsoft logo automatically — Keycloak renders it from the built-in provider metadata

After Microsoft authentication, Keycloak creates a user and shows the review profile page. Confirm the federated account: Keycloak admin → Users → find the user → Identity Provider Links tab.

Keycloak User detail page Identity Provider Links tab showing a microsoft row with the Entra ID object ID as the external user ID — The external user ID is the Entra ID object ID (oid claim) — unique per user within the tenant

Troubleshooting common issues

"AADSTS50011: The redirect URI does not match"

The redirect URI sent to Entra ID doesn't match the one registered in Azure. The exact URI must be in the app registration's Redirect URIs list. Copy it from Keycloak: Identity Providers → Microsoft → Redirect URI field. Also check that the app registration's redirect URI uses Web platform type, not SPA or Mobile.

Users from other tenants can log in when you intended single-tenant only

The built-in Microsoft provider defaults to the common endpoint, which accepts accounts from any tenant. For a stricter single-tenant setup, switch to the generic OpenID Connect v1.0 provider as described in Step 3.1.

The email attribute is blank in Keycloak

The email claim is an optional claim in Entra ID — add it via Token configuration in the Azure Portal (Step 4). Alternatively, use preferred_username as the source for the email mapper: it's the user's UPN (e.g., [email protected]) and is always present.

"An error occurred while authenticating with identity provider"

This generic Keycloak error page (shown after returning from Microsoft) most often means admin consent was not granted for the app registration in Entra ID. When the tenant requires admin consent, users can't self-consent and the token exchange fails. Grant admin consent as described in Step 6. To confirm the root cause, check the Keycloak server log — it usually contains the underlying AADSTS65001 consent message.

"AADSTS65001: The user has not consented"

The user is seeing a consent prompt they can't complete because admin consent is required for the requested scopes. An admin must pre-consent on behalf of all users — see Step 6 for the exact steps.

Client secret expired

Entra ID client secrets have a maximum lifetime of 24 months. After expiry, token exchange fails. Rotate the secret before it expires: create a new secret in Azure, update it in Keycloak, then delete the old one.

"AADSTS700016: Application was not found in the directory"

The Client ID in Keycloak doesn't match any app in the Entra ID tenant being used for authentication. This can happen if you registered the app in one tenant but users are trying to log in from a different one. Verify the Application (client) ID in Azure Portal matches what's in Keycloak.

Production checklist

Client secret expiry noted and rotation reminder set
Client secret stored outside source control
Account type (single tenant vs multi-tenant) chosen deliberately and tested
email optional claim added in Azure token configuration, or preferred_username used as fallback
Attribute mappers configured for email, firstName, lastName
Single-tenant setups using the generic OpenID Connect v1.0 provider (Step 3.1), not the common endpoint
Admin consent granted in Entra ID if required by tenant policy (Step 6)
Tested with accounts from the expected tenant, and verified that accounts from other tenants are blocked if that's the requirement

Need help integrating Microsoft Entra ID with Keycloak?

We deliver production-ready Microsoft Entra ID + Keycloak integrations in 1–3 weeks.

Fixed-price, zero vendor lock-in, full source code ownership.

See integration packages