Setting up SSO with Entra and Portainer (OAuth)

One of the things I hate is keeping track of various service accounts. Even with a modern password manager it can be a pain. Today I'll be showing how to authenticate into the Portainer instance we set up with our Microsoft account.

Let's log into our Portainer and set up some ground work. In the Administration Panel go to User-related -> Teams -> Create Team and name it whatever you'd like.

Now if we drop down to Settings -> Authentication we see some options. Let's select OAuth, toggle Automatic user provisioning and select the group we just created in the Default Team dropdown.

If we select Microsoft in the Provider select we see it asking for the following fields:

Tenant ID
Application ID
Application key

For these we need to go our Entra tenant. We go to Applications -> App Registration -> New Registration.

Fill out what you'd like the app name to be, make sure it's accounts in this org only, and then insert your Portainer's URL and click on Register.

You should be within the App now after registering it. Go to Certificates & Secrets -> New Client Secrets. Enter a description and set the Expiration time, we're going to go with default 180 days.

Click on Add and record the value somewhere, it's only going to show the one time. This is going to map to the Application key field that Portainer wants.

Now if you go to the Overview blade you should see the other two items that are being requested.

Fill out the fields in Portainer and hit Save Settings.

Go to API permissions -> Add a Permission. Select Microsoft Graph and Delegated permissions, then add the following: email, openid, profile. Finally, once they are added. Make sure to click Grant Admin Consent for your tenant.

Now if we log out of Portainer and back in we see a new screen. Let's click Login with Microsoft.

If we login with our MS credentials we should see the Portainer landing page witho our MS account in the top right, but we can't view anything.

Log out and then back in with the Use Internal Authentication option, our Admin credentials and let's grant our new user permissions. If we go to the Users section we should now see our MS account with Oauth Authentication.

Click on the user and flip the toggle to Admin. Now your MS account has access to all the things in Portainer.

You now could remove the ability to login with Internal Auth by making the appropriate toggle in the Authentication section if you feel you can remember to update the secret before the one you just made expires.