Azure AD Federation with Keycloak as SAML identity provider using external B2B guest users - Automating User and Group Sync from Keycloak to Azure AD

04.05.2023 | Eike Waldt in howto

Recap of Post 1

Post 1 showed you how to set up Keycloak, your DNS, an Azure External Identity Provider and how to invite internal B2B guest users.

Automating User and Group Sync from Keycloak to Azure AD

At the point in time writing this (05/2023) there is no easy or out-of-the-box way to sync users to Azure AD from a third party IdP. We could of course manually provision every user but who would possibly want that.

So we have to get creative and build something ourselves.

Now it is time to show you a possible way to automate the user provisioning in Azure.

Which SDK to use …

Microsoft provides PowerShell packages to interact with the Microsoft Graphs REST API, you can also interact with the Microsoft Graphs REST API via HTTP and there are several SDKs available to use for these kind of tasks.

I did not want to depend on installing a PowerShell. My tool of choice for these kind of tasks is python, so I tried to build something using the Microsoft Graph SDK for Python but it is still in “community preview” phase, the documentation was not meeting my requirements (05/2023) and they state that breaking changes might still be introduced to the SDK. So to be on the safe side, we’re using the Microsoft Graphs REST API via HTTP and build the needed logic and functions in python by ourselves.


My approach can be found on

Clone the repository to get started.

git clone

What it does …

  • The script loops a configurable map of groups.
  • Each element in the map has a Keycloak and an Azure key value pair.
    • The Keycloak and azure groups have to exist and are not created by the script.
  • If a user is found in the Keycloak group:
    • it is invited as a B2B guest user.
    • it is updated so that the user is of the type Member (not Guest) and placed in the configured Azure group.
  • If a member is removed from a Keycloak group it is also removed in it’s Azure equivalent.

Dependencies and Requirements

We need a few Python packages installed.

To interact with the Keycloak API: - python-keycloak package

To parse the yaml config file: - path package - strictyaml package

The easiest way of installing these is:

pip install -r requirements.txt


To use the script you need to supply several environment variables and a config file.

Keycloak user

To read the users and groups from Keycloak, you need a Keycloak user with these roles: - query-clients - query-groups - query-users - view-clients - view-groups - view-users

Look at the Keycloak - Managing users documentation to get more information.

The user has to be passed to this script by setting these environment variables: - KEYCLOAK_USER - KEYCLOAK_PASSWORD

Azure application credentials

To add users to Azure AD, you need an Azure app registration with these API permissions: - Microsoft Graph -> User.* - Microsoft Graph -> Group.* - Microsoft Graph -> GroupMember.*

Look at the Quickstart: Register an application with the Microsoft identity platform documentation to get more information. Be sure to add a client secret.

The credentials have to be passed as these environment variables: - AZURE_TENANT_ID - AZURE_CLIENT_ID - AZURE_CLIENT_SECRET (max expiry is 24 month!!!)

Script configuration

The script has a self-explanatory config file.

Do a cp keycloak_to_azure.config.yaml.example keycloak_to_azure.config.yaml and adapt the config to get started.

Please make sure that all the configured Keycloak and Azure groups already exist. The script will not take care of that.

Example configuration file:

❯ cat keycloak_to_azure.config.yaml.example
logfile: keycloak_to_azure.log
keycloak_realm: acme
  - keycloak: group1
    azure: acme-group-1
  - keycloak: group2
    azure: acme-group-2
  - keycloak: group3
    azure: acme-group-3

Running the Script

If you configured all the environment variables, the config file and the Keycloak and Azure groups are created, you can run the script.

It will now take care of syncing the configured groups and their users.

2023-04-03 07:46:42,250 [INFO] start run
2023-04-03 07:46:42,250 [INFO] invited azure user:
2023-04-03 07:46:42,250 [INFO] updated azure user: xxxx-xxxx-xxxx-xxxx-xxxx - Firstname1 Lastname1
2023-04-03 07:46:42,250 [INFO] added user to group: xxxx-xxxx-xxxx-xxxx-xxxx xxxx-xxxx-xxxx-xxxx-xxxx
2023-04-03 07:46:47,107 [INFO] end run

Congratulations! You just synced your users and groups from Keycloak to Azure.

Next steps

Group permissions concept in Azure

On the Azure side, you now need to configure some reasonable permissions for your groups. Of course, the script won’t help you do this. You have to come up with a concept yourself.

Using a different email domain in Azure AD and Keycloak

Like B1 Systems, you might want to use a different email domain for users created in Azure AD than you use for your users in your Keycloak instance. This can have several reasons, e.g. you already have existing users in Azure AD (from the same email domain) that you do not want to touch or you have the problem that you cannot use SAML-Fed IdP federation with your verified domain.

A detailed blog entry with a solution for this problem might follow ;)

Eike Waldt
Eike Waldt
Eike Waldt is a Linux Consultant and Trainer and has been with B1 Systems since 2015. During his career he has worked in many SAP and SUSE focused projects. This included designing complex mechanisms for maintaining large landscapes and approaches to maintain and refactor their codebase via continious integration (CI) solutions. Some of his favority technologies and topics are high availibilty clusters (pacemaker/corosync) and Infrastructure as Code (e.g. Terraform, Ansible, Salt, Chef). Apart from wagework, he is an advocate of community supported agriculture (CSA, please look it up), which (who would have thought that) also includes running and designing IT infrastructure.


Haben Sie Anmerkungen oder Nachfragen? Melden Sie sich unter
Col 2