Keep Cloud: ✅
Keep Enterprise On-Premises: ✅
Keep Open Source: ⛔️
Keep supports enterprise authentication through Azure Entre ID (formerly known as Azure AD), enabling organizations to use their existing Microsoft identity platform for secure access management.

When to Use

  • Microsoft Environment: If your organization uses Microsoft 365 or Azure services, Azure AD integration provides seamless authentication.
  • Enterprise SSO: Leverage Azure AD’s Single Sign-On capabilities for unified access management.

Setup Instructions (on Azure AD)

Creating an Azure AD Application

  1. Sign in to the Azure Portal
  2. Navigate to Microsoft Entra ID > App registrations > New registration
Azure AD App Registration
  1. Configure the application:
    • Name: “Keep”
Note that we are using “Register an application to integrate with Microsoft Entra ID (App you’re developing)” since you’re self-hosting Keep and need direct control over the authentication flow and permissions for your specific instance - unlike the cloud/managed version where Keep’s team has already configured a centralized application registration.
Azure AD App Registration
  1. Configure the application (continue)
  • Supported account types: “Single tenant”
We recommend using “Single tenant” for enhanced security as it restricts access to users within your organization only. While multi-tenant configuration is possible, it would allow users from any Azure AD directory to access your Keep instance, which could pose security risks unless you have specific cross-organization requirements.
  • Redirect URI: “Web” + your redirect URI
We use “Web” platform instead of “Single Page Application (SPA)” because Keep’s backend handles the authentication flow using client credentials/secrets, which is more secure than the implicit flow used in SPAs. This prevents exposure of tokens in the browser and provides stronger security through server-side token validation and refresh token handling.
For localhost, the redirect would be http://localhost:3000/api/auth/callback/microsoft-entra-idFor production, it should be something like http://your_keep_frontend_domain/api/auth/callback/microsoft-entra-id
Azure AD App Registration
  1. Finally, click “register”

Configure Authentication

After we created the application, let’s configure the authentication.
  1. Go to “App Registrations” -> “All applications”
Azure AD Authentication Configuration
  1. Click on your application -> “Add a certificate or secret”
Azure AD Authentication Configuration
  1. Click on “New client secret” and give it a name
Azure AD Authentication Configuration
  1. Keep the “Value”, we will use it soon as KEEP_AZUREAD_CLIENT_SECRET
Azure AD Authentication Configuration

Configure Groups

Keep maps Azure AD groups to roles with two default groups:
  1. Admin Group (read + write)
  2. NOC Group (read only)
To create those groups, go to Groups -> All groups and create two groups:
Azure AD Authentication Configuration
Keep the Object id of these groups and use it as KEEP_AZUREAD_ADMIN_GROUP_ID and KEEP_AZUREAD_NOC_GROUP_ID.

Configure Group Claims

  1. Navigate to Token configuration
Azure AD Authentication Configuration
  1. Add groups claim:
    • Select “Security groups” and “Groups assigned to the application”
    • Choose “Group ID” as the claim value
Azure AD Authentication Configuration
Azure AD Authentication Configuration

Configure Application Scopes

  1. Go to “Expose an API” and click on “Add a scope”
Azure AD Authentication Configuration
  1. Keep the default Application ID and click “Save and continue”
Azure AD Authentication Configuration
  1. Add “default” as scope name, also give a display name and description
Azure AD Authentication Configuration
  1. Finally, click “Add scope”
Azure AD Authentication Configuration

Setup Instructions (on Keep)

After you configured Azure AD you should have the following:
  1. Azure AD Tenant ID
  2. Azure AD Client ID
How to get:
Azure AD Authentication Configuration
  1. Azure AD Client Secret See Configure Authentication.
  2. Azure AD Group ID’s for Admins and NOC (read only) See Configure Groups.

Configuration

Frontend

Environment VariableDescriptionRequiredDefault Value
AUTH_TYPESet to ‘AZUREAD’ for Azure AD authenticationYes-
KEEP_AZUREAD_CLIENT_IDYour Azure AD application (client) IDYes-
KEEP_AZUREAD_CLIENT_SECRETYour client secretYes-
KEEP_AZUREAD_TENANT_IDYour Azure AD tenant IDYes-
NEXTAUTH_URLYour Keep application URLYes-
NEXTAUTH_SECRETRandom string for NextAuth.jsYes-

Backend

Environment VariableDescriptionRequiredDefault Value
AUTH_TYPESet to ‘AZUREAD’ for Azure AD authenticationYes-
KEEP_AZUREAD_TENANT_IDYour Azure AD tenant IDYes-
KEEP_AZUREAD_CLIENT_IDYour Azure AD application (client) IDYes-
KEEP_AZUREAD_ADMIN_GROUP_IDThe group ID of Keep Admins (read write)Yes-
KEEP_AZUREAD_NOC_GROUP_IDThe group ID of Keep NOC (read only)Yes-

Features and Limitations

Supported Features

  • Single Sign-On (SSO)
  • Role-based access control through Azure AD groups
  • Multi-factor authentication (when configured in Azure AD)

Limitations

See Overview