Login to your ArgoCD using OIDC and Azure.

Configure a new Azure AD App registration

Add a new Azure AD App registration

  1. From the Azure Active Directory > App registrations menu, choose + New registration
  2. Enter a Name for the application (e.g. “argocd” ).
  3. Specify who can use the application (e.g. Accounts in this organizational directory only).
  4. Enter Redirect URI (optional) as follows (replacing my-argo-cd-url with your Argo URL), then choose Add.
  • Platform: Web
  • Redirect URI: https://<my-argo-cd-url>/auth/callback

5. When registration finishes, the Azure portal displays the app registration’s Overview pane. You see the Application (client) ID.

Configure additional platform settings for ArgoCD CLI

  1. In the Azure portal, in App registrations, select your application.
  2. Under Manage, select Authentication.
  3. Under Platform configurations, select Add a platform.
  4. Under Configure platforms, select the “Mobile and desktop applications” .

Use the below value. You shouldn’t change it.

  • Redirect URI: http://localhost:8085/auth/callback

Add credentials a new Azure AD App registration

  1. From the Certificates & secrets menu, choose + New client secret
  2. Enter a Name for the secret (e.g. ArgoCD-SSO).
  • Make sure to copy and save generated value. This is a value for the client_secret.

Setup permissions for Azure AD Application

  1. From the API permissions menu, choose + Add a permission
  2. Find User.Read permission (under Microsoft Graph) and grant it to the created application

  • From the Token Configuration menu, choose + Add groups claim

Associate an Azure AD group to your Azure AD App registration

  1. From the Azure Active Directory > Enterprise applications menu, search the App that you created (e.g. Argo CD).
  • An Enterprise application with the same name of the Azure AD App registration is created when you add a new Azure AD App registration.

2. From the Users and groups menu of the app, add any users or groups requiring access to the service.

Configure Argo to use the new Azure AD App registration

  1. Edit argocd-cm and configure the data.oidc.config and data.url section:
data:
       url: https://argocd.example.com/ # Replace with the external base URL of your Argo CD
       oidc.config: |
             name: Azure
             issuer: https://login.microsoftonline.com/ADD YOUR TENANT ID HERE /v2.0
             clientID: # Replace with the client ID from entreprise application in AD
             clientSecret: $oidc.azure.clientSecret
             requestedIDTokenClaims:
                groups:
                   essential: true
             requestedScopes:
                - openid
                - profile
                - email

2. Edit argocd-secret and configure the data.oidc.azure.clientSecret section:

Secret -> argocd-secret

data:
       oidc.azure.clientSecret: #add your secret from keyvault after base64 encoding

3. Edit argocd-rbac-cm to configure permissions. Use group ID from Azure for assigning roles RBAC Configurations

ConfigMap -> argocd-rbac-cm

policy.default: role:readonly  # or your switch to admin 
    policy.csv: |
       p, role:org-admin, applications, *, */*, allow
       p, role:org-admin, clusters, get, *, allow
       p, role:org-admin, repositories, get, *, allow
       p, role:org-admin, repositories, create, *, allow
       p, role:org-admin, repositories, update, *, allow
       p, role:org-admin, repositories, delete, *, allow
       g, "GROUPID or USERID or Object ID from AD", role:org
admin

Final check

Bingoo…We can see “log in via azure” appear in ArgoCD login page.

Let’s check if we can login via Azure now.

And Bingoooo ….we have everything set up and working perfectly.