How to configure authentication with Entra ID

Entra ID is an Identity and Access Management offering from Microsoft. It is commonly used as a central location for managing users, groups, roles, and their privileges across many applications and deployments.

LXD supports authentication Entra ID via OpenID Connect (OIDC) (see OpenID Connect authentication). To configure authentication with Entra ID, follow the steps below.

We assumed that LXD is initialized and accessible over HTTPS on port 8443 (see How to expose LXD to the network for instructions). It is also assumed that you have access to an Entra ID tenant.

1. In your Entra ID tenant, go to Identity > Applications > App registrations in the left panel.

   

   Entra ID App registrations

2. Click + New registration. Then choose a name for the application (for example LXD).

   

   Entra ID set application name

3. Under Redirect URI (optional), select Public client/native (mobile & desktop) and type:

   https://<your-LXD-hostname>/oidc/callback
   

   

   Entra ID set redirection URI

4. Click Register.

5. In the configuration page for your new application, go to Authentication in the Manage menu.

   

   Entra ID authentication

6. Scroll down to Advanced settings. Under Allow public client flows, toggle Yes and click Save.

   

   Entra ID enable public client flows

7. In the configuration page for your new application, go to API permissions in the Manage menu.

   

   Entra ID API permissions

8. Go to Configured permissions and click + Add a permission.

   

   Entra ID add a permission

9. Click Microsoft Graph in the right panel.

   

   Entra ID Graph API permissions

10. Click Delegated permissions.

    

    Entra ID Graph API delegated permissions

11. Select all OpenId permissions, then click Add permissions.

    

    Entra ID OpenID permissions

12. Above the Manage menu, go to Overview and copy the Application (client) ID.

    

    Entra ID copy client ID

13. Set this as the client ID in LXD:

    lxc config set oidc.client.id <your-client-id>
    

14. While still in Overview, click Endpoints and copy the URL under OpenID Connect metadata document.

    

    Entra ID tenant discovery URL

15. Navigate to the URL that you copied. This URL will display some output in JSON format.

16. Copy the URL from the issuer field. Then set this as the oidc.issuer in LXD:

    lxc config set oidc.issuer <your-issuer>
    

    Alternatively, execute this command:

    lxc config set oidc.issuer "$(curl <URL that you copied> | jq -r .issuer)"
    

You can now navigate to the LXD UI in your browser. When you click Login with SSO, you will be redirected to Entra ID to authenticate.

In the terminal, add this LXD server as a remote by running:

lxc remote add <remote-name> <remote-url> --auth-type oidc

This prompts you to accept the public certificate fingerprint of the remote server, which should match the value for certificate shown in lxc info. If you accept, the CLI then displays a unique login code and opens your browser. In the browser, log in to your Entra ID tenant and enter the code. Once the CLI process has completed, you can connect to the remote server.