With Microsoft Entra
- Last Updated: April 14, 2026
- 3 minute read
- MarkLogic Server
- Version 11.0
- Documentation
You can set up MarkLogic Server to use the vendor Microsoft Entra (formerly Azure Active Directory) as your OAuth external agent.
To set up Microsoft Entra to properly interface with MarkLogic Server, follow these steps while noting the information that you will need later as you go along:
-
Register with Microsoft Entra to obtain a tenancy.
-
Create groups and users:
-
Create users through the Users page.
-
Create groups through the Groups page.
-
Note the group UUIDs. You will use these as external names during role configuration.
-
-
Add the created users to the proper groups.
-
-
Register your application with Microsoft Entra:
-
Note the Application ID URI for external security object configuration.
-
Note the Tenant ID for external security object configuration.
-
-
Customize the payload of the JWT Token to include groups by changing your application’s Manifest section optionalClaims field to this:
"optionalClaims": { "idToken": [ { "name": "groups", "source": null, "essential": false, "additionalProperties": [] } ], "accessToken": [ { "name": "groups", "source": null, "essential": false, "additionalProperties": [] } ], "saml2Token": [ { "name": "groups", "source": null, "essential": false, "additionalProperties": [] } ] } -
Obtain public keys and their corresponding key IDs from Microsoft Entra:
-
Go to
https://login.microsoftonline.com/<your-tenant-UUID>/discovery/v2.0/keys. On the page that appears, each entry in the keys array is a public key containing kid as the key ID. -
Convert each entry in the keys array from JWK to PEM format using any public access tool.
-
Note the key ID for external security object configuration.
-
Note the PEM-converted public key for external security object configuration.
-
Note:
The JWT Secrets field secures both symmetric and asymmetric signature keys.Note:
[v11.3.2 and up] You can specify a JWKS URI to validate incoming JWT access tokens with JWKS instead of with JWT Secrets signature keys. -
Microsoft Entra is now set up to integrate with MarkLogic Server, and you have the information that you need to configure MarkLogic Server external security.
This table shows how the elements that you noted from Microsoft Entra map to fields on the MarkLogic Server External Security configuration page in the Admin Interface and includes the values used in the example setups:
Microsoft Entra element |
External Security configuration page field |
|---|---|
Application ID URI EXAMPLE: |
OAuth Client ID |
Tenant ID EXAMPLE: |
OAuth JWT Issuer URI |
Name claim EXAMPLE: |
OAuth Username Attribute |
Groups claim EXAMPLE: |
OAuth Role Attribute |
JWT Secrets kid keys array EXAMPLE (one kid/keys pair): kid: keys: <PEM-converted key> Note: |
OAuth JWT Secrets Secret Key ID Secret Value |
(Optional) EXAMPLE: Note: |
OAuth JWKS URI |
You will also assign Microsoft Entra group UUIDs to MarkLogic Server roles as external names. Microsoft Entra groups are analogous to MarkLogic Server roles.
EXAMPLE (of one): 7228762e-cb30-428a-ae1a-3a8cf9e2f728
You can now set up MarkLogic Server integration through one of the methods described in this section.