Yandex Cloud
Search
Contact UsGet started
  • Blog
  • Pricing
  • Documentation
  • All Services
  • System Status
    • Featured
    • Infrastructure & Network
    • Data Platform
    • Containers
    • Developer tools
    • Serverless
    • Security
    • Monitoring & Resources
    • ML & AI
    • Business tools
  • All Solutions
    • By industry
    • By use case
    • Economics and Pricing
    • Security
    • Technical Support
    • Customer Stories
    • Start testing with double trial credits
    • Cloud credits to scale your IT product
    • Gateway to Russia
    • Cloud for Startups
    • Education and Science
    • Yandex Cloud Partner program
  • Blog
  • Pricing
  • Documentation
© 2025 Direct Cursus Technology L.L.C.
Yandex Cloud Organization
  • Getting started
    • All tutorials
    • Differentiation of access permissions for user groups
      • Overview
      • Authentication using Active Directory
      • Authentication using Google Workspace
      • Authentication using Microsoft Entra ID
      • Authentication using Keycloak
    • Service account with an OS Login profile for VM management via Ansible
  • Access management
  • Pricing policy
  • Terraform reference
  • Audit Trails events
  • Release notes

In this article:

  • Getting started
  • Creating and configuring a SAML application in Azure
  • Create a SAML application and download a certificate
  • Add users
  • Creating and setting up a federation in Yandex Cloud Organization
  • Create a federation
  • Add certificates
  • Setting up single sign-on (SSO)
  • Specify the redirect URL
  • Configure user attribute mapping
  • Add users to your organization
  • Authentication
  1. Tutorials
  2. Managing identity federations
  3. Authentication using Microsoft Entra ID

Authentication using Microsoft Entra ID

Written by
Yandex Cloud
Updated at May 13, 2025
  • Getting started
  • Creating and configuring a SAML application in Azure
    • Create a SAML application and download a certificate
    • Add users
  • Creating and setting up a federation in Yandex Cloud Organization
    • Create a federation
    • Add certificates
  • Setting up single sign-on (SSO)
    • Specify the redirect URL
    • Configure user attribute mapping
    • Add users to your organization
  • Authentication

With an identity federation, you can use Microsoft Entra ID (Entra ID) to authenticate users within an organization.

Authentication setup includes the following steps:

  1. Creating and configuring a SAML application in Azure.

  2. Creating and setting up a federation in Yandex Cloud Organization.

  3. Setting up single sign-on (SSO).

  4. Authentication.

Getting startedGetting started

To follow the steps described in this section, you will need an Azure account with an active subscription.

Creating and configuring a SAML application in AzureCreating and configuring a SAML application in Azure

Create a SAML application and download a certificateCreate a SAML application and download a certificate

In Microsoft Azure, a SAML application acts as an identity provider (IdP). Create a SAML application and download a certificate:

  1. Go to the Azure portal.

  2. Under Azure services, select Microsoft Entra ID.

  3. In the left-hand panel, select Enterprise Applications.

  4. Click New application.

  5. On the Browse Microsoft Entra gallery page, click Create your own application.

  6. In the window that opens:

    1. Name the application.

    2. Select Integrate any other application you don't find in the gallery (Non-gallery).

    3. Click Create.

  7. On the Browse page that opens, use the left-hand panel to select Single sign-on.

  8. Select the SAML single sign-on method.

  9. On the SAML-based sign-on page, under 3. SAML signature certificate, download the certificate (Base64). The IdP uses it to sign the user authenticated message.

Do not close the page, as you will need the IdP server data when creating and setting up a federation.

Add usersAdd users

Add users to the IdP server:

  1. Go to the Enterprise Applications page.

  2. Select the SAML application created.

  3. On the left-hand panel, select Users and groups.

  4. Click Add user or group.

  5. In the Users field, click None Selected.

  6. In the window that opens, check users and click Select.

  7. Click Assign.

Creating and setting up a federation in Yandex Cloud OrganizationCreating and setting up a federation in Yandex Cloud Organization

Create a federationCreate a federation

Cloud Center interface
CLI
Terraform
API
  1. Go to Yandex Cloud Organization.

  2. In the left-hand panel, select Federations.

  3. Click Create federation in the top-right corner of the page. In the window that opens:

    1. Give your federation a name. It must be unique within the folder.

    2. You can also add a description, if required.

    3. In the Cookie lifetime field, specify the time before the browser asks the user to re-authenticate.

    4. In the IdP Issuer field, insert the link from the Microsoft Entra ID field on the SAML-based sign-on page in Entra ID. The link should have the following format:

      https://sts.windows.net/<SAML_app_ID>/
      
    5. In the Link to the IdP login page field, insert the link from the Login URL field on the SAML-based sign-on page in Entra ID. The link should have the following format:

      https://login.microsoftonline.com/<SAML_app_ID>/saml2
      

      You can only use HTTP and HTTPS in a link.

    6. Enable Automatically create users to automatically add users to your organization once they sign in. Otherwise, you will need to manually add your federated users.

      A federated user is created automatically only when they log in to a cloud for the first time. If you removed a user from the federation, you can only add them back manually.

    7. Enable Mandatory re-authentication (ForceAuthn) in IdP to set ForceAuthn to true in the SAML authentication request. If enabled, the IdP will request the user to re-authenticate once the Yandex Cloud session expires.

    8. Click Create federation.

If you do not have the Yandex Cloud (CLI) command line interface yet, install and initialize it.

The folder specified when creating the CLI profile is used by default. To change the default folder, use the yc config set folder-id <folder_ID> command. You can specify a different folder using the --folder-name or --folder-id parameter.

  1. View the description of the create federation command:

    yc organization-manager federation saml create --help
    
  2. Create a federation:

    yc organization-manager federation saml create --name my-federation \
      --organization-id <organization_ID> \
      --auto-create-account-on-login \
      --cookie-max-age 12h \
      --issuer "https://sts.windows.net/<SAML_app_ID>/" \
      --sso-url "https://login.microsoftonline.com/<SAML_app_ID>/saml2" \
      --sso-binding POST \
      --force-authn
    

    Where:

    • --name: Federation name. It must be unique within the folder.

    • --organization-id: Organization ID.

    • --auto-create-account-on-login: Flag enabling the automatic creation of new cloud users after authenticating on the IdP server.
      This option makes it easier to create users; however, users created this way will not be able to do anything with cloud resources. This does not apply to the resources for which roles are assigned to the All users or All authenticated users public group.

      If this option is off, users not added to the organization will not be able to log in to the management console, even if authenticated on your IdP server. In this case, you can manage a list of users allowed to use Yandex Cloud resources.

    • --cookie-max-age: Time before the browser asks the user to re-authenticate.

    • --issuer: ID of the IdP server to use for authentication.

      Use the link from the Microsoft Entra ID field on the SAML-based sign-on page in Entra ID. The link should have the following format:

      https://sts.windows.net/<SAML_app_ID>/
      
    • --sso-url: URL of the page the browser has to redirect the user to for authentication.

      Use the link from the Login URL field on the SAML-based sign-on page in Entra ID. The link should have the following format:

      https://login.microsoftonline.com/<SAML_app_ID>/saml2
      

      You can only use HTTP and HTTPS in a link.

    • --sso-binding: Specify the single sign-on binding type. Most identity providers support the POST binding type.

    • (Optional) --force-authn: When the Yandex Cloud session expires, your IdP will prompt the user to re-authenticate.

If you do not have Terraform yet, install it and configure its Yandex Cloud provider.

  1. Specify the federation parameters in the configuration file.

    Here is the configuration file example:

    resource "yandex_organizationmanager_saml_federation" federation {
      name            = "my-federation"
      organization_id = "<organization_ID>"
      auto_create_account_on_login = "true"
      issuer          = "https://sts.windows.net/<SAML_app_ID>/"
      sso_url         = "https://login.microsoftonline.com/<SAML_app_ID>/saml2"
      sso_binding     = "POST"
      security_settings {
        encrypted_assertions = "true"
        force_authn          = "true"
      }
    }
    

    Where:

    • name: Federation name. It must be unique within the folder.

    • description: Federation description.

    • organization_id: Organization ID.

    • labels: Set of key/value label pairs assigned to the federation.

    • issuer: ID of the IdP server to use for authentication.

      Use the link from the Microsoft Entra ID field on the SAML-based sign-on page in Entra ID. The link should have the following format:

      https://sts.windows.net/<SAML_app_ID>/
      
    • sso_binding: Specify the single sign-on binding type. Most identity providers support the POST binding type.

    • sso_url: URL of the page the browser redirects the user to for authentication.

      Use the link from the Login URL field on the SAML-based sign-on page in Entra ID. The link should have the following format:

      https://login.microsoftonline.com/<SAML_app_ID>/saml2
      

      You can only use HTTP and HTTPS in a link.

    • cookie_max_age: Time in seconds before the browser asks the user to re-authenticate. The default value is 8 hours.

    • auto_create_account_on_login: Flag enabling the automatic creation of new cloud users after authenticating on the IdP server.
      This option makes it easier to create users; however, users created this way will not be able to do anything with cloud resources. This does not apply to the resources for which roles are assigned to the All users or All authenticated users public group.

      If this option is off, users not added to the organization will not be able to log in to the management console, even if authenticated on your server. In this case, you can manage a list of users allowed to use Yandex Cloud resources.

    • case_insensitive_name_ids: Toggles username case sensitivity.
      If this option is enabled, the IDs of federated user names will be case-insensitive.

    • security_settings: Federation security settings:

      • encrypted_assertions: Sign authentication requests.

        If this option is enabled, all authentication requests from Yandex Cloud will have a digital signature.

      • force-authn: When the Yandex Cloud session expires, your IdP will prompt the user to re-authenticate. This is an optional parameter.

    For more information about the yandex_organizationmanager_saml_federation resource parameters, see the provider documentation.

  2. Make sure the configuration files are correct.

    1. In the command line, go to the directory where you created the configuration file.

    2. Run a check using this command:

      terraform plan
      

    If the configuration is described correctly, the terminal displays the federation parameters. If the configuration contains any errors, Terraform will point them out.

  3. Create a federation.

    1. If the configuration does not contain any errors, run this command:

      terraform apply
      
    2. Confirm you want to create a federation.

    This will create a federation in the specified organization. You can check the new federation and its settings in the organization's Federations section.

  1. Create a file with the request body, e.g., body.json:

    {
      "name": "my-federation",
      "organizationId": "<organization_ID>",
      "autoCreateAccountOnLogin": true,
      "cookieMaxAge":"43200s",
      "issuer": "https://sts.windows.net/<SAML_app_ID>/",
      "ssoUrl": "https://login.microsoftonline.com/<SAML_app_ID>/saml2",
      "ssoBinding": "POST",
      "securitySettings": {
        "forceAuthn": true
      }
    }
    

    Where:

    • name: Federation name. It must be unique within the folder.

    • organizationId: Organization ID.

    • autoCreateAccountOnLogin: Flag enabling the automatic creation of new cloud users after authenticating on the IdP server.
      This option makes it easier to create users; however, users created this way will not be able to do anything with cloud resources. This does not apply to the resources for which roles are assigned to the All users or All authenticated users public group.

      If this option is off, users not added to the organization will not be able to log in to the management console, even if authenticated on your IdP server. In this case, you can manage a list of users allowed to use Yandex Cloud resources.

    • cookieMaxAge: Time before the browser asks the user to re-authenticate.

    • issuer: ID of the IdP server to use for authentication.

      Use the link from the Microsoft Entra ID field on the SAML-based sign-on page in Entra ID. The link should have the following format:

      https://sts.windows.net/<SAML_app_ID>/
      
    • ssoUrl: URL of the page the browser has to redirect the user to for authentication.

      Use the link from the Login URL field on the SAML-based sign-on page in Entra ID. The link should have the following format:

      https://login.microsoftonline.com/<SAML_app_ID>/saml2
      

      You can only use HTTP and HTTPS in a link.

    • ssoBinding: Specify the single sign-on binding type. Most identity providers support the POST binding type.

    • forceAuthn: Parameter that requires user re-authentication once a session expires in Yandex Cloud.

  2. To create a federation, use the create REST API method for the Federation resource or the FederationService/Create gRPC API call and provide a file with the query parameters in your query.

    Query example:

    curl \
      --request POST \
      --header "Content-Type: application/json" \
      --header "Authorization: Bearer <IAM_token>" \
      --data '@body.json' \
      https://organization-manager.api.cloud.yandex.net/organization-manager/v1/saml/federations
    

    Response example:

    {
     "done": true,
     "metadata": {
      "@type": "type.googleapis.com/yandex.cloud.organization-manager.v1.saml.CreateFederationMetadata",
      "federationId": "ajeobmje4dgj********"
     }
    

    The federationId property contains the ID of the federation you created. Save it for later use.

Add certificatesAdd certificates

While authenticating, the Cloud Organization service should be able to verify the IdP server certificate. To enable this, add the downloaded certificate to the federation:

Cloud Center interface
CLI
API
  1. Log in to Yandex Cloud Organization.

  2. In the left-hand panel, select Federations.

  3. Click the row with the federation you want to add a certificate to.

  4. Click Adding a certificate under Certificates at the bottom of the page.

  5. Enter certificate name and description.

  6. Choose how to add a certificate:

    • To add a certificate as a file, click Choose a file and specify the path to it.
    • To paste the contents of a copied certificate, select the Text method and paste the contents.
  7. Click Add.

If you do not have the Yandex Cloud (CLI) command line interface yet, install and initialize it.

The folder specified when creating the CLI profile is used by default. To change the default folder, use the yc config set folder-id <folder_ID> command. You can specify a different folder using the --folder-name or --folder-id parameter.

  1. View the description of the add certificate command:

    yc organization-manager federation saml certificate create --help
    
  2. Add a federation certificate by specifying the certificate file path:

    yc organization-manager federation saml certificate create \
      --federation-id <federation_ID> \
      --name "my-certificate" \
      --certificate-file certificate.cer
    

Use the create method for the Certificate resource:

  1. Create a request body. In the data property, specify the contents of the certificate:

    {
      "federationId": "<federation_ID>",
      "name": "my-certificate",
      "data": "-----BEGIN CERTIFICATE..."
    }
    
  2. Send the request to add the certificate:

    export IAM_TOKEN=CggaAT********
    curl \
      --request POST \
      --header "Content-Type: application/json" \
      --header "Authorization: Bearer ${IAM_TOKEN}" \
      --data '@body.json' \
      "https://organization-manager.api.cloud.yandex.net/organization-manager/v1/saml/certificates"
    

Tip

Make sure to reissue certificates and add them to a federation in a timely manner.

To keep track of when your certificate expires, subscribe to notifications from the organization. Subscribed users get notifications 60, 30, and 5 days before the certificate expires and after its expiration.

Setting up single sign-on (SSO)Setting up single sign-on (SSO)

Specify the redirect URLSpecify the redirect URL

Once you have created a federation, complete the creation of the SAML application in Azure:

  1. Open the SAML-based sign-on SAML application settings page.

  2. Under 1. Basic SAML configuration, specify information on Yandex Cloud acting as the service provider. To do this, in the ID (entity) and Response URL (assertion consumer service URL) fields, enter the ACS URL to redirect users to after successful authentication.

    How to get the federation ACS URL
    1. Log in to Yandex Cloud Organization.

    2. In the left-hand panel, select Federations.

    3. Select the required federation and copy the ACS URL field value on the federation info page.

  3. Click Save.

Configure user attribute mappingConfigure user attribute mapping

Warning

It is mandatory to configure user attribute mapping.

Following user authentication, the IdP server will send a SAML message to Yandex Cloud containing:

  • Information about successful authentication.

  • User attributes, such as the name ID, name, and email address.

To configure mapping between SAML message attributes and personal data, on the SAML-based sign-on page under 2. User attributes & claims, click Edit.

Types of personal data supported by Yandex Cloud Organization for Entra ID are given below.

User data Comment Application Attributes
Unique user ID (name ID) Required attribute.
By default, Entra ID uses User Principal Name (UPN) in <login>_<domain>#EXT#@<provider>.onmicrosoft.com format as the attribute source. When manually adding users to a federation, this name ID format is not supported. We recommend changing the attribute source in Entra ID: choose email address, user.mail, instead of UPN, user.userprincipalname.
Unique user ID claim
Surname Displayed in Yandex Cloud services.
Value length limit: 64 characters.
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname
Name Displayed in Yandex Cloud services.
Value length limit: 64 characters.
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname
Full name Displayed in Yandex Cloud services.
Example: Ivan Ivanov.
Value length limit: 64 characters.
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Email Used to send notifications from Yandex Cloud services.
Example: ivanov@example.com.
Value length limit: 256 characters.
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress

Warning

If the attribute value exceeds the length limit, the value part that goes beyond the limit is truncated.

Add users to your organizationAdd users to your organization

If you did not enable the Automatically create users option when creating the federation, you will have to add federated users to your organization manually.

To do this, you will need user name IDs. They are returned by the IdP server together with a response confirming successful authentication.

If the Automatically create users option is enabled, a federation will only add users logging in to a cloud for the first time. If a federated user has been removed, they can only be added again manually.

A user can be added by the organization administrator (the organization-manager.admin role) or owner (the organization-manager.organizations.owner role). To learn how to grant a role to a user, see Roles.

Note

To enable a user to access the management console, assign them a role for the cloud or organization. For added security, you can assign one of the least priveleged roles, such as resource-manager.clouds.member. However, you may also assign other roles if you know which permissions you want to grant to the invited users.

To grant these permissions to all the organization users at once, assign the role to the All users in organization X system group. When using the CLI or API, no additional roles are required.

Cloud Center interface
CLI
API
  1. Go to Yandex Cloud Organization.

  2. In the left-hand panel, select Users.

  3. In the top-right corner, click More and select Add federated users.

  4. Select the identity federation to add users from.

  5. List the name IDs of users, separating them with spaces or line breaks.

  6. Click Add. This will give the users access to the organization.

If you do not have the Yandex Cloud (CLI) command line interface yet, install and initialize it.

The folder specified when creating the CLI profile is used by default. To change the default folder, use the yc config set folder-id <folder_ID> command. You can specify a different folder using the --folder-name or --folder-id parameter.

  1. View the description of the add user command:

    yc organization-manager federation saml add-user-accounts --help
    
  2. Add users by listing their name IDs separated by a comma:

    yc organization-manager federation saml add-user-accounts --id <federation_ID> \
      --name-ids=alice@example.com,bob@example.com,charlie@example.com
    

    Where:

    • --id: Federation ID.

    • --name-ids: Name IDs of users.

To add identity federation users to the cloud:

  1. Create a file with the request body, e.g., body.json. In the request body, specify the array of name IDs of users you want to add:

    {
      "nameIds": [
        "alice@example.com",
        "bob@example.com",
        "charlie@example.com"
      ]
    }
    
  2. Send the request by specifying the federation ID in the parameters:

    curl \
      --request POST \
      --header "Content-Type: application/json" \
      --header "Authorization: Bearer <IAM_token>" \
      --data '@body.json' \
      https://organization-manager.api.cloud.yandex.net/organization-manager/v1/saml/federations/<federation_ID>:addUserAccounts
    

AuthenticationAuthentication

When you finish setting up SSO, test that everything works properly:

  1. Open your browser in guest or private browsing mode.

  2. Use this URL to log in to the management console:

    https://console.yandex.cloud/federations/<federation_ID>
    
    How to get a federation ID
    1. Log in to Yandex Cloud Organization.
    2. In the left-hand panel, select Federations.
    3. Select the required federation and copy the Identifier field value on the federation info page.

    The browser forwards you to the Microsoft authentication page.

  3. Enter your credentials and click Next.

On successful authentication, the IdP server will redirect you to the ACS URL you specified in the Entra ID settings and then to the management console home page. In the top-right corner, you will see being logged in to the console as a federated user.

What's nextWhat's next

  • Assign roles to the new users

Was the article helpful?

Previous
Authentication using Google Workspace
Next
Authentication using Keycloak
© 2025 Direct Cursus Technology L.L.C.