Kubesense
Integrations/SSO/Microsoft Entra ID

Microsoft Entra ID

Overview

KubeSense supports single sign-on (SSO) authentication through Microsoft Entra ID (formerly Azure AD), enabling secure, passwordless access to your observability platform using your organization's Microsoft credentials.

info: Microsoft Entra ID integration provides enterprise-grade authentication and security for accessing the KubeSense platform.

Prerequisites

Before setting up Microsoft Entra ID integration, ensure you have:

  • Access to the Microsoft Entra admin center (Azure AD)
  • Admin permissions to register applications in Entra ID
  • The KubeSense application URL where authentication will redirect
  • Understanding of your organization's authentication requirements

Step 1: Register KubeSense Application

  1. Go to Microsoft Entra admin centerAzure Portal
  2. In the left-hand menu, navigate to ApplicationsApp registrations
  3. Click New registration
  4. Fill in the application registration form:
    • Name: Enter your application name (e.g., "KubeSense Staging")
    • Supported account types: Choose according to your requirement:
      • "Accounts in this organizational directory only" - For single tenant
      • "Accounts in any organizational directory" - For multi-tenant
      • "Accounts in any organizational directory and personal Microsoft accounts" - For public access
    • Redirect URI (optional at this stage - we'll configure this next):
      • Platform: Select Single-page application (SPA)
      • URI: Enter your KubeSense URL (e.g., https://kubesense.xxx.org/login)
  5. Click Register

note: Keep the Application (client) ID and Directory (tenant) ID that appear after registration, as you'll need these for KubeSense configuration.

Step 2: Configure Platform Settings

After the app is registered, configure the platform settings:

  1. Go to the app registration overview page
  2. Navigate to Authentication in the left-hand panel
  3. Under Platform configurations, click Add a platform
  4. Select Single-page application platform
  5. Add the following URIs:
    • Redirect URI: https://kubesense.xxx.org/login
    • Logout URL: https://kubesense.xxx.org/login (or your actual logout endpoint)
  6. Click Save

warning: Replace the example URLs with your actual KubeSense application URLs. You can add multiple redirect URIs for different environments (development, staging, production).

Step 3: Configure API Permissions

Configure API permissions to avoid consent prompts during authentication:

  1. Navigate to API permissions in the left-hand panel
  2. Click Add a permission
  3. Select Microsoft Graph
  4. Choose the appropriate permissions based on your requirements:
    • Sign in and read user profile: User.Read
    • Read all users' full profiles (if needed): User.Read.All
  5. Click Add permissions

To prevent consent prompts for all users:

  1. If your organization is the default directory, click Grant admin consent for [Your Organization]
  2. Confirm the permission grant

important: Granting admin consent requires appropriate permissions. Only tenant administrators can grant consent for all users.

Step 4: Share Application Details

Retrieve and document the following details from the app registration Overview page:

Required Information:

  • Application (client) ID: A unique identifier for your registered application

    • Example: 3b889c5a-5f4e-4d7c-8e9f-1a2b3c4d5e6f

  • Directory (tenant) ID: Your organization's tenant identifier

    • Example: 1a2b3c4d-5e6f-7890-abcd-ef1234567890

Where to Find These:

  1. In Overview section, you'll find:

    • Application (client) ID: Listed under "Essentials" or "Application ID"
    • Directory (tenant) ID: Listed as "Tenant ID" or "Directory ID"

  2. Copy both values as you'll need to configure it in kubesense deployment values

Configuration in KubeSense

Once tenant ID and client ID are acquired, edit the KubeSense values file. Find the webapp: section and add the following configuration:

webapp:
  microsoft_auth:
    enabled: true
    client_id: YOUR_CLIENT_ID
    tenant_id: YOUR_TENANT_ID

Replace:

  • YOUR_CLIENT_ID with the Application (client) ID from Step 4
  • YOUR_TENANT_ID with the Directory (tenant) ID from Step 4

Additional Configuration Options

Configure Token Lifecycle

For enhanced security, consider configuring token expiration:

  1. Navigate to Token configuration in your app registration
  2. Configure token lifetimes as per your organization's security policies
  3. Set refresh token validity period

Enable Additional User Attributes

To request additional user information:

  1. Go to Token configuration
  2. Add optional claims for user information like email, groups, etc.
  3. Configure claims mapping as needed

Verifying Integration

After configuring Microsoft Entra ID integration:

  1. Test SSO Flow:

    • Navigate to your KubeSense URL
    • Click on the sign-in button
    • You should be redirected to Microsoft sign-in page
    • After successful authentication, you should be redirected back to KubeSense

  2. Check User Profile:

    • Verify that your user profile and email are correctly displayed in KubeSense
    • Confirm that you have appropriate access permissions

  3. Test Logout:

    • Click logout from KubeSense
    • Verify that the session is terminated properly
    • Confirm that you're redirected to the login page

Best Practices

Security

  • Use HTTPS: Always use HTTPS endpoints for redirect URIs in production
  • Limit redirect URIs: Only register the exact URIs you need
  • Regular audits: Periodically review app registrations and permissions
  • Monitor access: Set up alerts for unusual authentication activity

Performance

  • Cache tokens: Implement appropriate token caching to reduce authentication overhead
  • Optimize redirect URIs: Use relative paths where possible
  • Monitor latency: Track authentication latency and optimize if needed

Compliance

  • Audit logs: Enable Microsoft Entra sign-in logs for compliance
  • Data retention: Configure log retention policies according to requirements
  • Privacy: Ensure you have proper consent for user data collection

Troubleshooting

Issue: Redirect URI mismatch

Symptoms: "redirect_uri_mismatch" error during authentication

Solution:

  • Verify that the redirect URI in KubeSense matches exactly with the registered URI in Entra ID
  • Check for trailing slashes, HTTP vs HTTPS, and case sensitivity
  • Ensure the platform type (SPA) matches in both places

Symptoms: Users are prompted for consent during sign-in

Solution:

  • Ensure admin consent has been granted for all required API permissions
  • Check if new permissions were added that need consent
  • Review the API permissions configuration

Issue: Cannot sign in with organization account

Symptoms: Authentication fails or "incompatible account type" error

Solution:

  • Verify the supported account types in the app registration
  • Ensure users have accounts in the correct tenant
  • Check if multi-factor authentication (MFA) is required
  • Verify conditional access policies aren't blocking access

Issue: Session timeout

Symptoms: Users are being logged out frequently

Solution:

  • Review and adjust token expiration settings
  • Check session management configuration
  • Verify refresh token configuration
  • Review Microsoft Entra session settings

Conclusion

Microsoft Entra ID integration provides enterprise-grade authentication for KubeSense, enabling your organization to use existing Microsoft credentials for secure access. By properly configuring the application registration, API permissions, and redirect URIs, you can provide a seamless authentication experience while maintaining security and compliance standards.

back

SSO

next

Google SSO