Keep Cloud: ✅
Keep Enterprise On-Premises: ✅
Keep Open Source: ⛔️
Keep supports enterprise authentication through Azure Entre ID (formerly known as Azure AD), enabling organizations to use their existing Microsoft identity platform for secure access management.
We recommend using “Single tenant” for enhanced security as it restricts access to users within your organization only. While multi-tenant configuration is possible, it would allow users from any Azure AD directory to access your Keep instance, which could pose security risks unless you have specific cross-organization requirements.
We use “Web” platform instead of “Single Page Application (SPA)” because Keep’s backend handles the authentication flow using client credentials/secrets, which is more secure than the implicit flow used in SPAs. This prevents exposure of tokens in the browser and provides stronger security through server-side token validation and refresh token handling.
For localhost, the redirect would be http://localhost:3000/api/auth/callback/microsoft-entra-id
For production, it should be something like http://your_keep_frontend_domain/api/auth/callback/microsoft-entra-id
After we created the application, let’s configure the authentication.
KEEP_AZUREAD_CLIENT_SECRET
Keep maps Azure AD groups to roles with two default groups:
To create those groups, go to Groups -> All groups and create two groups:
Keep the Object id of these groups and use it as KEEP_AZUREAD_ADMIN_GROUP_ID
and KEEP_AZUREAD_NOC_GROUP_ID
.
After you configured Azure AD you should have the following:
How to get:
Environment Variable | Description | Required | Default Value |
---|---|---|---|
AUTH_TYPE | Set to ‘AZUREAD’ for Azure AD authentication | Yes | - |
KEEP_AZUREAD_CLIENT_ID | Your Azure AD application (client) ID | Yes | - |
KEEP_AZUREAD_CLIENT_SECRET | Your client secret | Yes | - |
KEEP_AZUREAD_TENANT_ID | Your Azure AD tenant ID | Yes | - |
NEXTAUTH_URL | Your Keep application URL | Yes | - |
NEXTAUTH_SECRET | Random string for NextAuth.js | Yes | - |
Environment Variable | Description | Required | Default Value |
---|---|---|---|
AUTH_TYPE | Set to ‘AZUREAD’ for Azure AD authentication | Yes | - |
KEEP_AZUREAD_TENANT_ID | Your Azure AD tenant ID | Yes | - |
KEEP_AZUREAD_CLIENT_ID | Your Azure AD application (client) ID | Yes | - |
KEEP_AZUREAD_ADMIN_GROUP_ID | The group ID of Keep Admins (read write) | Yes | - |
KEEP_AZUREAD_NOC_GROUP_ID | The group ID of Keep NOC (read only) | Yes | - |
See Overview
Keep Cloud: ✅
Keep Enterprise On-Premises: ✅
Keep Open Source: ⛔️
Keep supports enterprise authentication through Azure Entre ID (formerly known as Azure AD), enabling organizations to use their existing Microsoft identity platform for secure access management.
We recommend using “Single tenant” for enhanced security as it restricts access to users within your organization only. While multi-tenant configuration is possible, it would allow users from any Azure AD directory to access your Keep instance, which could pose security risks unless you have specific cross-organization requirements.
We use “Web” platform instead of “Single Page Application (SPA)” because Keep’s backend handles the authentication flow using client credentials/secrets, which is more secure than the implicit flow used in SPAs. This prevents exposure of tokens in the browser and provides stronger security through server-side token validation and refresh token handling.
For localhost, the redirect would be http://localhost:3000/api/auth/callback/microsoft-entra-id
For production, it should be something like http://your_keep_frontend_domain/api/auth/callback/microsoft-entra-id
After we created the application, let’s configure the authentication.
KEEP_AZUREAD_CLIENT_SECRET
Keep maps Azure AD groups to roles with two default groups:
To create those groups, go to Groups -> All groups and create two groups:
Keep the Object id of these groups and use it as KEEP_AZUREAD_ADMIN_GROUP_ID
and KEEP_AZUREAD_NOC_GROUP_ID
.
After you configured Azure AD you should have the following:
How to get:
Environment Variable | Description | Required | Default Value |
---|---|---|---|
AUTH_TYPE | Set to ‘AZUREAD’ for Azure AD authentication | Yes | - |
KEEP_AZUREAD_CLIENT_ID | Your Azure AD application (client) ID | Yes | - |
KEEP_AZUREAD_CLIENT_SECRET | Your client secret | Yes | - |
KEEP_AZUREAD_TENANT_ID | Your Azure AD tenant ID | Yes | - |
NEXTAUTH_URL | Your Keep application URL | Yes | - |
NEXTAUTH_SECRET | Random string for NextAuth.js | Yes | - |
Environment Variable | Description | Required | Default Value |
---|---|---|---|
AUTH_TYPE | Set to ‘AZUREAD’ for Azure AD authentication | Yes | - |
KEEP_AZUREAD_TENANT_ID | Your Azure AD tenant ID | Yes | - |
KEEP_AZUREAD_CLIENT_ID | Your Azure AD application (client) ID | Yes | - |
KEEP_AZUREAD_ADMIN_GROUP_ID | The group ID of Keep Admins (read write) | Yes | - |
KEEP_AZUREAD_NOC_GROUP_ID | The group ID of Keep NOC (read only) | Yes | - |
See Overview