Authenticate Consul administrative users using Azure Active Directory

config.sh

consul acl auth-method create \
  -type=oidc \
  -token-locality=global \
  -name=azure \
  -max-token-ttl=24h \
  -display-name="Azure Active Directory" \
  -config=@oidc-config.json
  
consul acl role create \
  -name="oidc-admin" \
  -description="Global Management policy for OIDC admins" \
  -policy-id="global-management"

consul acl binding-rule create \
  -bind-name='oidc-admin' \
  -bind-type=role \
  -description="Global Management login for OIDC admins" \
  -method=azure \
  -selector='"<Admin Security Group ID>" in list.groups'
  
  # The above requires that the 'groups' optional claim is added to the AAD app registration's access token config

oidc-config.json

{
  "AllowedRedirectURIs": [
    "http://localhost:8550/oidc/callback",
    "http://localhost:8500/ui/oidc/callback",
    "https://<Consul URL>:8501/ui/oidc/callback"
  ],
  "BoundAudiences": [
    "<Client ID>"
  ],
  "ClaimMappings": {
    "name": "user"
  },
  "ListClaimMappings": {
    "groups": "groups"
  },
  "OIDCScopes": [
    "profile"
  ],
  "OIDCClientID": "<Client ID>",
  "OIDCClientSecret": "<Client Secret>",
  "OIDCDiscoveryURL": "https://login.microsoftonline.com/<Tenant ID>/v2.0"
}