Azure Active Directory

Overview#

The Azure AD connector integrates with Microsoft Identity Platform v2.0 for OIDC/SAML SSO and SCIM user provisioning. Client credentials are sealed in QuantaVault and used for Microsoft Graph API calls.

Prerequisites#

• 1An Azure AD tenant
• 2An App Registration with required Microsoft Graph API permissions
• 3Client ID, Client Secret, and Tenant ID

Configuration#

Follow these steps to connect Azure Active Directory to QuantaSeal. You can configure integrations via the Admin Console or directly via the API.

1. 1

   Register an app in Azure Portal → Azure Active Directory → App Registrations.

2. 2

   Add Microsoft Graph permissions: User.Read.All, Group.Read.All.

3. 3

   Create a client secret and note client_id, client_secret, tenant_id.

4. 4

   Seal: POST /api/v2/vault/seal with credential_type: oauth2_client.

5. 5

   Create integration with system_type: azure_ad.

Authentication Types#

Seal client_id, client_secret, and tenant_id as oauth2_client. QuantaSeal uses client_credentials grant for Microsoft Graph API calls.

All credential types are sealed in QuantaVault with ML-KEM-768 + AES-256-GCM and wrapped by your tenant AWS KMS CMK before storage. See the Vault API reference for the full list of credential types and seal/unseal endpoints.

Available Operations#

QuantaSeal enforces a default-deny operation policy. Only operations listed in your integration's allowed_operations array will be permitted. Add operations when creating or updating the integration.

Code Example#

Every proxy call returns a HybridCryptoEnvelope - the response is ML-KEM-768 key-encapsulated, AES-256-GCM encrypted, and signed with ML-DSA-65 + HMAC-SHA-512. Verify both signatures before trusting the decrypted payload.

curl -X POST https://api.quantaseal.io/api/v2/proxy/outbound \
  -H "X-API-Key: qs_live_your_key_here" \
  -H "Content-Type: application/json" \
  -d '{"integration_id":"int_AAD001","operation":"get_user","payload":{"user_id":"alice@contoso.com"}}'

Troubleshooting#