Creating an OIDC Provider on Microsoft Entra ID

  • Updated on Mar 25, 2026
  • Published on Mar 17, 2026
  • 1 minute(s) read
Prev Next

Follow these steps on Microsoft Azure to create an OIDC provider that will then be connected to VMS. You must have permissions on Azure to create Enterprise Applications.

  1. On Azure, navigate to Enterprise Applications.

  2. Click Create your own application.

  3. Enter a name for the application, and select the option Register an application to integrate with Microsoft Entra ID.

  4. Click Create. The application is created.

  5. Assign users to the app, as necessary.

  6. On Azure, navigate to App Registrations, and select the app created above.

  7. Click on Endpoints (at the top). In the Endpoints side panel, copy the OpenID Connect metadata document URL. This is used as the Discovery URL to configure the provider on VAST VMS.

    For V1.0 this looks like this: https://login.microsoftonline.com/<TENANT>/.well-known/openid-configuration

    For V2.0: https://login.microsoftonline.com/<TENANT>/v2.0/.well-known/openid-configuration
    where TENANT is your tenant ID on Entra ID. See, for example, https://learn.microsoft.com/en-us/entra/fundamentals/how-to-find-tenant for details on how to find your tenant ID.

  8. Optionally, navigate to Authentication (Preview), (on the navigation pane, on the left), and add a Redirect URI. To test the OIDC configuration, enter https://jwt.ms.

  9. Navigate to API permissions, and select Grant admin consent for Default Directory. Alternatively, add specific permissions manually.

Authenticating to the OIDC Provider

Once the OIDC provider is configured, you can use this URL to authenticate a user, and obtain a JWT (this example uses OAuth 2.0):

curl -X POST \
-H "Content-Type: application/x-www-form-urlencoded" \
-d "client_id=<client ID>" \
-d "client_secret=<secret>" \
-d "username=user1@vastdata.com" \
-d 'password=<password>' \
-d "grant_type=password" \
-d "resource=https://graph.windows.net" \
https://login.microsoftonline.com/<tenant>/oauth2/token | jq -r .access_token

where client ID is your Entra ID client, client_secret your secret key, tenant is your Entra ID tenant, and password is your password.

Using the VAST STS and OIDC Provider to Generate Credentials for S3 Access

Once you have configured the OIDC provider on Entra ID, following the steps above, and configured the OIDC provider on the VAST Web UI (see OIDC Provider), follow the steps to create a JWT token, and then, with this token, a temporary access key to access S3 resources on the cluster.

  • Generate a temporary access key by assuming an IAM Role in VMS, and using the JWT, for example, using this command from the AWS CLI:

    aws sts assume-role-with-web-identity \
 --duration-seconds 3600 \
 --role-arn "arn:vast::<VAST_TENANT>:role/<IAMROLE>" \
 --role-session-name "AnythingYouWantHere" \
 --web-identity-token "<JWT>" \
 --endpoint-url https://<VIP> \
 --no-verify-ssl

    where VAST_TENANT is the tenant on VMS associated with the OIDC provider, IAMROLE is the IAM role created on VMS, JWT is the token obtained in Authenticating to the OIDC Provider, and VIP is a VIP to access the S3 resource on the cluster (for example, if the resource is an S3 bucket, one of the VIP addresses for it).

Related articles