integrating Azure Active Directory with HashiCorp Vault for Multi-Application Access

Introduction:

In today’s cloud-driven environments, managing secrets securely and efficiently is a top priority — especially when multiple applications and services need access to sensitive credentials. HashiCorp Vault offers robust tools for secrets management, while Azure Active Directory (Azure AD) provides powerful identity and access management capabilities.

But how do you bring these two worlds together?

In this blog, we’ll walk you through how to integrate Azure AD with HashiCorp Vault, enabling seamless and secure authentication for multiple applications across your environment. Whether you’re building a microservices architecture or managing enterprise workloads, this guide will help you centralize authentication, reduce operational overhead, and enforce consistent access controls.

We’ll cover:

🔑 Configuring Azure AD for Vault and Other Service Integrations
🏗️ Configuring Vault to trust Azure AD tokens
📦 Accessing Vault from multiple applications using Azure AD identities

🔑 Configuring Azure AD for Vault and Other Service Integrations:

1. Register the Application

Creates an identity for the app in Azure AD so that it can authenticate users and receive tokens.

Steps:

• Azure Portal → App registrations → New registration
• Enter a Name, then click Register.
• From the App Overview, copy:
  • Application (client) ID
  • Directory (tenant) ID

2. Create Client Secret

A client secret is the app’s password for securely requesting tokens from Azure AD.

Steps:

• Go to Manage → Certificates & secrets → Client secrets.
• Click New client secret, provide a description and expiry.
• Click Add.
• Important: Copy the secret value immediately — it will not be shown again.

3. Configure Token Claims

Including the groups claim in ID and Access tokens lets the app know which security groups the user belongs to — needed for access control.

Steps:

• Go to Manage → Token configuration.
• Click + Add groups claim.
• Select Groups → Security groups.
• Save.

4. Configure Redirect URIs

Redirect URIs define where Azure AD should send users after login. All URLs that handle sign-in callbacks should must be registered.

Steps:

• Go to Manage → Authentication.
• Add the following Redirect URIs:Web (Vault & backend):

Web (Vault & backend):

https://<backend-domain>/login/oauth2/code/azure  (Backend)
https://<vault-domain>/ui/vault/auth/oidc/oidc/callback  (Vault UI)
https://<vault-domain>/oidc/callback  (Vault CLI)

SPA (Frontend):
https://<frontend-domain>

5. Configure API Permissions

Grants the app permission to read user identity and profile info, which is necessary for authentication and user-specific logic.

Steps:

• Go to Manage → API permissions.
• Click + Add a permission → Microsoft Graph.
• Add delegated permissions:
  • openid (OpenID Connect)
  • email (read user email)
  • profile (read user profile)
  • User.Read (read signed-in user profile)

6. Expose an API

Defines a custom scope your backend or Vault can require. This scope controls what level of access the client is requesting.

Steps:

• Go to Manage → Expose an API.
• Click + Add a scope.
• Fill in:
  • Scope name (e.g., user)
  • Description
  • Who can consent? → Admins and users
• Save.

7. Create a Security Group

Controls which users can access the app by grouping allowed users together.

Steps:

• Go to Microsoft Entra ID → Groups → New group.
• Group type: Security.
• Assign Owners.
• Select Members to include.
• Save.

8. Assign Group to the Registered App

Ensures that only members of the group can access the app.

Steps:

• Go to Enterprise applications → Select your registered app.
• Under Manage → Properties, set Assignment required? to Yes.
• Under Manage → Users and groups, click Add user/group, then select the created group.

Configuring Vault to trust Azure AD tokens:

Information Required from Azure Portal Configuration:

Set Up OIDC Authentication

1. Enable OIDC Authentication Method

vault auth enable oidc

activates the OIDC auth method, allowing Vault to use OpenID Connect with Azure AD for browser-based logins (e.g., Vault UI).

2. Configure OIDC Connection to Azure AD

vault write auth/oidc/config \
    oidc_discovery_url="https://login.microsoftonline.com/<tenant-id>/v2.0" \
    oidc_client_id="<application-client-id>" \
    oidc_client_secret="<client-secret-value>" \
    bound_issuer="https://sts.windows.net/<tenant-id>/" \
    default_role="<role-name>"

• Configures Vault to trust Azure AD’s OIDC endpoints.
• Sets client credentials for Vault to authenticate with Azure AD.
• Defines the default role that determines user claims mapping and policies.

3. Create OIDC Role

vault write auth/oidc/role/<role-name> \
  user_claim="name" \
  oidc_scopes="profile,openid,email,<created-scope(e.g.,api://<client-id>/       user)>" \
  allowed_redirect_uris="https://<vault-domain>/ui/vault/auth/oidc/oidc/callback" \
  allowed_redirect_uris="https://<vault-domain>/oidc/callback" \
  groups_claim="groups" \
  verbose_oidc_logging="true" \
  ttl="1h"

• Defines how to extract user info (user_claim), group memberships (groups_claim), and accepted scopes.
• Specifies valid redirect URIs Vault should allow for login callbacks.
• Enables verbose logging for easier troubleshooting during setup.
• Sets token lifetime.

Set Up JWT Authentication

1. Enable JWT Authentication Method

vault auth enable jwt

activates JWT auth for programmatic clients that authenticate using JWT tokens issued by Azure AD (backend app).

2. Configure JWT Connection to Azure AD

vault write auth/jwt/config \
  oidc_discovery_url="https://login.microsoftonline.com/<tenant-id>/v2.0" \
  bound_issuer="https://sts.windows.net/<tenant-id>/" \
  default_role="<role-name>"

• Sets up Vault to validate JWTs issued by Azure AD.
• Uses the same trusted issuer and default role.

3. Create JWT Role

vault write auth/jwt/role/<role-name> \
  role_type="jwt" \
  oidc_scopes="profile,openid,email,<created-scope(e.g.,api://<client-id>/user)>" \
  bound_audiences="api://<client-id>" \
  user_claim="name" \
  groups_claim="groups" \
  ttl="1h"

• Defines how JWTs are validated and mapped to Vault identities.
• bound_audiences restricts which tokens are accepted, ensuring only valid Azure AD tokens are trusted.
• Sets token lifetime.

Manage Identity Groups and Mappings

1. Create External Groups and Map to Vault Policies

vault write identity/group name="<group-name>" type="external" policies="<policy-name>"

• Creates an external identity group in Vault for users authenticated via OIDC.
• Attaches Vault policies (e.g., global) that define what the group can do.

2. Create Group Alias for OIDC

To map the external Azure AD Group Object ID to a Vault identity group, so Vault knows what permissions to grant when the user logs in with an OIDC token containing that group.

vault write identity/group-alias \
  name="<Azure AD Group Object ID>" \
  canonical_id="$(vault read -field=id identity/group/name/<group-name>)" \
  mount_accessor="$(vault auth list -format=json | jq -r '.["oidc/"].accessor')"

• The alias (identity/group-alias) links the Azure AD group’s Object ID to that Vault group.
• The mount accessor tells Vault which auth method’s tokens this applies to (OIDC, JWT, .. .).

3. Create External Group for JWT and Alias

vault write identity/group name="<group-name>" type="external" policies="<policy-name>"
vault write identity/group-alias \
  name="<Azure AD Group Object ID>" \
  canonical_id="$(vault read -field=id identity/group/name/<group-name>)" \
  mount_accessor="$(vault auth list -format=json | jq -r '.["jwt/"].accessor')"

• Same as OIDC: but for JWT-based logins.
• Ensures that programmatic clients using JWTs are mapped to the correct Vault policies.