How to Set up Azure Active Directory as OIDC Provider for Your Harbor Container Registry

This guide will walk you through the setup of Harbor with Azure AD (Azure Active Directory) using OIDC (OpenID Connect).

The other tutorial explains what you should do in your Container Registry instance if you want to use OIDC authentication in general. However, before doing anything in Container Registry, you need to complete the configuration on the provider side.


You need a custom domain on Container Registry.

1 - In Azure Active Directory

Azure Active Directory –> App Registrations –> New Registration Name it as you like (eg. 8gears container registry)

Choose accounts in this organizational directory only (though your use case may vary)

Redirect URI: Web <– This is important. Set the value to: https://YOUR-CORE-HARBOR-DOMAIN/c/oidc/callback «- This value is also on the bottom of the Configuration –> Authentication tab in the Harbor dashboard.

Make note of the Application client ID & the directory tenant ID

Click Certificates & secrets –> Client secrets –> +New client secret. Set the expiration to whenever you want to rotate it. Copy this value.

2 - Harbor OIDC Configuration

In the Harbor dashboard go to Configuration –> Authentication.

  • Auth Mode –> OIDC
  • OIDC Endpoint –> ID FROM ABOVE/v2.0
  • OIDC Client Secret –> SECRET FROM ABOVE
  • Group Claim Name –> groups
  • OIDC Scope –> openid,email,profile,offline_access

Save it.

This will now enable a Groups tab in the Harbor dashboard. It’s going to be populated with the Azure AD Object ID of the groups found. I believe it’s populated with groups found by users who log in.

Have your users go to the Harbor dashboard login screen and choose LOGIN VIA OIDC PROVIDER. Users can than choose their username in Harbor. The prefilled suggestion default to Firstname_Lastname.

Once logged-in users have access to basically nothing until you add them to Projects. Add an Azure AD groups Object ID to a project and those users have the specified level of access to that Harbor project now. Group Name don’t work - you have to use Object ID.

Once logged-in user can go to their User Profile and grab the CLI secret, which is what user want to use with their local docker/podman client to push/pull images from the projects they have access too.