Entra ID Configuration

Configure an App Registration in Microsoft Entra ID for OIDC authentication with RedFox Bastion.

1. Create App Registration

  1. Go to Entra admin centerMicrosoft Entra IDApp registrationsNew registration
  2. Name: RedFox Bastion
  3. Supported account types: Single tenant
  4. Redirect URI: Webhttps://your-bastion-host/auth/callback
  5. Click Register

2. Note the identifiers

From the Overview tab, copy:

Application (client) ID REDFOX_OIDC_CLIENT_ID
Directory (tenant) ID REDFOX_OIDC_TENANT_ID

3. Create a client secret

  1. Go to Certificates & secretsNew client secret
  2. Description: RedFox Bastion, expiry: 24 months
  3. Copy the Value immediately — you will paste it into the Setup Wizard during RedFox configuration (it won't be shown again)

4. API permissions

RedFox Bastion only needs basic OIDC scopes. No Microsoft Graph API permissions are required.

  • openid — required for OIDC
  • profile — user display name
  • email — user email for audit logs

These are delegated permissions, pre-consented. No admin consent required.

5. Configure RedFox via Setup Wizard

After installation, open the RedFox web UI. The Setup Wizard will guide you through the configuration:

  1. Enter your license key
  2. Paste the Application (client) ID, Directory (tenant) ID, and Client secret from the steps above
  3. Set the Redirect URI (e.g. https://your-bastion-host/auth/callback)
  4. The wizard validates the OIDC configuration and saves it securely
No manual .env editing required. All configuration is handled through the web-based Setup Wizard, which encrypts secrets at rest.

6. Test authentication

After completing the Setup Wizard, open the web UI and click Sign in with Microsoft. You should be redirected to the Entra ID login page and back to the dashboard after authentication.