Authentication of Applications with Azure Active Directory


Using oauth2_proxy and Azure Active Directory, you can add limited user authentication to your Azure account and applications. This article will demonstrate how to configure the authentication of a web application with NGINX, oauth2_proxy and Azure.

Creating application registration in Azure Active Directory

The first step is to create an application registration in Azure Active Directory. To do this, first access Azure Active Directory, then click on App registrations and then New application registration.

In the next step, fill in the form with the name of the application; choose Web app / API under application type, and add the URL of your application in Azure. The application used in this configuration was configured in a common virtual machine with Linux, and the URL is the access for this restricted application.

After creation, the following result will appear:

Click the name of the application, and on the next screen, click on Keys.

Now, we need to define the name and the duration of key expiration. After this is filled in, click Save and copy the key shown in the Value field. I recommend that you save the information in a secure place, because we will use this in the next steps of this configuration.

To complete this Azure configuration, we need to add the allowed users who can access our application. But in the new Azure portal, it is not possible to add users. To add them, we need first to access the old portal in
Authorization of users

Now, in the old portal, click on Active Directory, and click on your directory.

Next, click on Applications, and then on your application info created at the beginning of this article.

To finish, click on Users. Select the users that will have access to the application and click Assign in the bottom menu bar.

That’s all there is to it! Now our application has been configured in Azure, and we are ready to configure the oauth2_proxy and NGINX server.

Configuring NGINX

In the configuration file of your application (inside /etc/nginx/sites-enabled/default), add the following location directives:

This configuration is necessary to integrate the oauth2_proxy and NGINX, and the directives define the reverse proxy to access the oauth2_proxy before redirect to the application.

Configuring oauth2_proxy

The oauth2_proxy is a reverse proxy that provides authentication for Azure.

To install the oauth2_proxy, go to Download on the releases page and copy the link to get inside your server.

Then, extract the folder:

Now, we need an executable file to run the oauth2_proxy with the parameters to associate with our application in Azure. To do this, create a in /init.d file and add the lines below:

The client-id is the Application ID. You can get the Application ID inside the application properties. Client-secret is the key created. The upstream is the address and port from where your application is running. We need to restart NGINX after initiating the oauth2_proxy.

And turn this file as executable:

To improve this configuration, you can add the necessary script to start your server. Now, if you try to access the URL app, you will see the authentication page.

When you click the sign-in button, you will be redirected to the Azure authentication page to log in and authorize access (if you are not logged in). If you are already logged in, you will be redirected to the application page.


It’s fairly straightforward to configure this authentication mode. It’s important to provide access to applications only to users based in the Active Directory and to create separate rules to log in. The oauth2_proxy is a very useful open source tool that can be configured to work with multiple providers for authentication login.

Do you think you can beat this Sweet post?

If so, you may have what it takes to become a Sweetcode contributor... Learn More.

Software Engineer with experience in analysis and development of systems. Free software enthusiast and apprentice of new tech.


Click on a tab to select how you'd like to leave your comment

Leave a Comment

Your email address will not be published. Required fields are marked *