Unit 1: Microsoft Entra ID (Azure AD) integration

[TeoSlayer]

Scope

Native Entra ID integration with group-to-network mapping, Conditional Access policy awareness, and Azure Managed Identity support.

Deliverables

• OIDC configuration preset for Entra ID (issuer URL, JWKS, tenant ID)
• Group claim extraction: map Entra ID security groups to Pilot networks
• Conditional Access: document how CA policies gate token issuance (MFA, compliance, location)
• Azure Managed Identity: system-assigned and user-assigned identity support for VMs and AKS pods
• Setup guide: Entra ID app registration, required API permissions, group claim configuration
• Test with real Entra ID tenant

Priority: HIGH

[TeoSlayer]

Context: Entra ID is the dominant enterprise identity provider. Group-to-network mapping means Azure AD security groups directly control which Pilot networks agents can join. Conditional Access provides zero-trust signals (MFA, device compliance, location) without Pilot needing to implement them — the IdP handles the policy, Pilot trusts the resulting token.