A Concourse server can authenticate against Microsoft Azure AD to leverage its permission model.
You'll need to register a new application on Azure.
The "Callback URL" must be the URL of your Concourse server with
/sky/issuer/callback appended. This address must be reachable by Microsoft - it can't be
For example, Concourse's own CI server's callback URL would be:
You will be given a Client ID and a Client Secret for your new application. The client ID and secret must then be configured on the
web node by setting the following env:
concourse web --help for a full list of flags with descriptions.