Keep Cloud: ✅
Keep Enterprise On-Premises: ✅
Keep Open Source: ⛔️

Keep supports enterprise authentication through Azure Entre ID (formerly known as Azure AD), enabling organizations to use their existing Microsoft identity platform for secure access management.

When to Use

  • Microsoft Environment: If your organization uses Microsoft 365 or Azure services, Azure AD integration provides seamless authentication.
  • Enterprise SSO: Leverage Azure AD’s Single Sign-On capabilities for unified access management.

Setup Instructions (on Azure AD)

Creating an Azure AD Application

  1. Sign in to the Azure Portal
  2. Navigate to Microsoft Entra ID > App registrations > New registration
  1. Configure the application:
    • Name: “Keep”
Note that we are using “Register an application to integrate with Microsoft Entra ID (App you’re developing)” since you’re self-hosting Keep and need direct control over the authentication flow and permissions for your specific instance - unlike the cloud/managed version where Keep’s team has already configured a centralized application registration.
  1. Configure the application (continue)
  • Supported account types: “Single tenant”

We recommend using “Single tenant” for enhanced security as it restricts access to users within your organization only. While multi-tenant configuration is possible, it would allow users from any Azure AD directory to access your Keep instance, which could pose security risks unless you have specific cross-organization requirements.

  • Redirect URI: “Web” + your redirect URI

We use “Web” platform instead of “Single Page Application (SPA)” because Keep’s backend handles the authentication flow using client credentials/secrets, which is more secure than the implicit flow used in SPAs. This prevents exposure of tokens in the browser and provides stronger security through server-side token validation and refresh token handling.

For localhost, the redirect would be http://localhost:3000/api/auth/callback/microsoft-entra-id

For production, it should be something like http://your_keep_frontend_domain/api/auth/callback/microsoft-entra-id

  1. Finally, click “register”

Configure Authentication

After we created the application, let’s configure the authentication.

  1. Go to “App Registrations” -> “All applications”
  1. Click on your application -> “Add a certificate or secret”
  1. Click on “New client secret” and give it a name
  1. Keep the “Value”, we will use it soon as KEEP_AZUREAD_CLIENT_SECRET

Configure Groups

Keep maps Azure AD groups to roles with two default groups:

  1. Admin Group (read + write)
  2. NOC Group (read only)

To create those groups, go to Groups -> All groups and create two groups:

Keep the Object id of these groups and use it as KEEP_AZUREAD_ADMIN_GROUP_ID and KEEP_AZUREAD_NOC_GROUP_ID.

Configure Group Claims

  1. Navigate to Token configuration
  1. Add groups claim:
    • Select “Security groups” and “Groups assigned to the application”
    • Choose “Group ID” as the claim value

Configure Application Scopes

  1. Go to “Expose an API” and click on “Add a scope”
  1. Keep the default Application ID and click “Save and continue”
  1. Add “default” as scope name, also give a display name and description
  1. Finally, click “Add scope”

Setup Instructions (on Keep)

After you configured Azure AD you should have the following:

  1. Azure AD Tenant ID
  2. Azure AD Client ID

How to get:

  1. Azure AD Client Secret See Configure Authentication.
  2. Azure AD Group ID’s for Admins and NOC (read only) See Configure Groups.

Configuration

Frontend

Environment VariableDescriptionRequiredDefault Value
AUTH_TYPESet to ‘AZUREAD’ for Azure AD authenticationYes-
KEEP_AZUREAD_CLIENT_IDYour Azure AD application (client) IDYes-
KEEP_AZUREAD_CLIENT_SECRETYour client secretYes-
KEEP_AZUREAD_TENANT_IDYour Azure AD tenant IDYes-
NEXTAUTH_URLYour Keep application URLYes-
NEXTAUTH_SECRETRandom string for NextAuth.jsYes-

Backend

Environment VariableDescriptionRequiredDefault Value
AUTH_TYPESet to ‘AZUREAD’ for Azure AD authenticationYes-
KEEP_AZUREAD_TENANT_IDYour Azure AD tenant IDYes-
KEEP_AZUREAD_CLIENT_IDYour Azure AD application (client) IDYes-
KEEP_AZUREAD_ADMIN_GROUP_IDThe group ID of Keep Admins (read write)Yes-
KEEP_AZUREAD_NOC_GROUP_IDThe group ID of Keep NOC (read only)Yes-

Features and Limitations

Supported Features

  • Single Sign-On (SSO)
  • Role-based access control through Azure AD groups
  • Multi-factor authentication (when configured in Azure AD)

Limitations

See Overview

Keep Cloud: ✅
Keep Enterprise On-Premises: ✅
Keep Open Source: ⛔️

Keep supports enterprise authentication through Azure Entre ID (formerly known as Azure AD), enabling organizations to use their existing Microsoft identity platform for secure access management.

When to Use

  • Microsoft Environment: If your organization uses Microsoft 365 or Azure services, Azure AD integration provides seamless authentication.
  • Enterprise SSO: Leverage Azure AD’s Single Sign-On capabilities for unified access management.

Setup Instructions (on Azure AD)

Creating an Azure AD Application

  1. Sign in to the Azure Portal
  2. Navigate to Microsoft Entra ID > App registrations > New registration
  1. Configure the application:
    • Name: “Keep”
Note that we are using “Register an application to integrate with Microsoft Entra ID (App you’re developing)” since you’re self-hosting Keep and need direct control over the authentication flow and permissions for your specific instance - unlike the cloud/managed version where Keep’s team has already configured a centralized application registration.
  1. Configure the application (continue)
  • Supported account types: “Single tenant”

We recommend using “Single tenant” for enhanced security as it restricts access to users within your organization only. While multi-tenant configuration is possible, it would allow users from any Azure AD directory to access your Keep instance, which could pose security risks unless you have specific cross-organization requirements.

  • Redirect URI: “Web” + your redirect URI

We use “Web” platform instead of “Single Page Application (SPA)” because Keep’s backend handles the authentication flow using client credentials/secrets, which is more secure than the implicit flow used in SPAs. This prevents exposure of tokens in the browser and provides stronger security through server-side token validation and refresh token handling.

For localhost, the redirect would be http://localhost:3000/api/auth/callback/microsoft-entra-id

For production, it should be something like http://your_keep_frontend_domain/api/auth/callback/microsoft-entra-id

  1. Finally, click “register”

Configure Authentication

After we created the application, let’s configure the authentication.

  1. Go to “App Registrations” -> “All applications”
  1. Click on your application -> “Add a certificate or secret”
  1. Click on “New client secret” and give it a name
  1. Keep the “Value”, we will use it soon as KEEP_AZUREAD_CLIENT_SECRET

Configure Groups

Keep maps Azure AD groups to roles with two default groups:

  1. Admin Group (read + write)
  2. NOC Group (read only)

To create those groups, go to Groups -> All groups and create two groups:

Keep the Object id of these groups and use it as KEEP_AZUREAD_ADMIN_GROUP_ID and KEEP_AZUREAD_NOC_GROUP_ID.

Configure Group Claims

  1. Navigate to Token configuration
  1. Add groups claim:
    • Select “Security groups” and “Groups assigned to the application”
    • Choose “Group ID” as the claim value

Configure Application Scopes

  1. Go to “Expose an API” and click on “Add a scope”
  1. Keep the default Application ID and click “Save and continue”
  1. Add “default” as scope name, also give a display name and description
  1. Finally, click “Add scope”

Setup Instructions (on Keep)

After you configured Azure AD you should have the following:

  1. Azure AD Tenant ID
  2. Azure AD Client ID

How to get:

  1. Azure AD Client Secret See Configure Authentication.
  2. Azure AD Group ID’s for Admins and NOC (read only) See Configure Groups.

Configuration

Frontend

Environment VariableDescriptionRequiredDefault Value
AUTH_TYPESet to ‘AZUREAD’ for Azure AD authenticationYes-
KEEP_AZUREAD_CLIENT_IDYour Azure AD application (client) IDYes-
KEEP_AZUREAD_CLIENT_SECRETYour client secretYes-
KEEP_AZUREAD_TENANT_IDYour Azure AD tenant IDYes-
NEXTAUTH_URLYour Keep application URLYes-
NEXTAUTH_SECRETRandom string for NextAuth.jsYes-

Backend

Environment VariableDescriptionRequiredDefault Value
AUTH_TYPESet to ‘AZUREAD’ for Azure AD authenticationYes-
KEEP_AZUREAD_TENANT_IDYour Azure AD tenant IDYes-
KEEP_AZUREAD_CLIENT_IDYour Azure AD application (client) IDYes-
KEEP_AZUREAD_ADMIN_GROUP_IDThe group ID of Keep Admins (read write)Yes-
KEEP_AZUREAD_NOC_GROUP_IDThe group ID of Keep NOC (read only)Yes-

Features and Limitations

Supported Features

  • Single Sign-On (SSO)
  • Role-based access control through Azure AD groups
  • Multi-factor authentication (when configured in Azure AD)

Limitations

See Overview