diff --git a/.gitignore b/.gitignore
index 1654202..c690290 100644
--- a/.gitignore
+++ b/.gitignore
@@ -2,8 +2,9 @@
 .kube/*
 
 # Terraform
-.terraform
-terraform.tfstate*
+.terraform/
+*.tfvars
+*.tfstate*
 *.hcl
 !.github/linters/.tflint.hcl
 
diff --git a/manifests/platform/argocd/operator/applications/cluster-configs.yaml b/manifests/platform/argocd/operator/applications/cluster-auth.yaml
similarity index 84%
rename from manifests/platform/argocd/operator/applications/cluster-configs.yaml
rename to manifests/platform/argocd/operator/applications/cluster-auth.yaml
index 434765a..2c1ad6f 100644
--- a/manifests/platform/argocd/operator/applications/cluster-configs.yaml
+++ b/manifests/platform/argocd/operator/applications/cluster-auth.yaml
@@ -1,7 +1,7 @@
 kind: Application
 apiVersion: argoproj.io/v1alpha1
 metadata:
-  name: cluster-configs
+  name: cluster-auth
   namespace: argocd
 spec:
   destination:
@@ -9,7 +9,7 @@ spec:
   project: default
   source:
     repoURL: https://github.com/jennweir/HomeLab.git
-    path: manifests/platform/cluster-configs
+    path: manifests/platform/cluster-auth
     targetRevision: main
   syncPolicy:
     retry:
diff --git a/manifests/platform/cluster-auth/README.md b/manifests/platform/cluster-auth/README.md
new file mode 100644
index 0000000..acc59c8
--- /dev/null
+++ b/manifests/platform/cluster-auth/README.md
@@ -0,0 +1,11 @@
+# AzureAD and az-cli Commands
+
+```bash
+# View jwt token
+export TOKEN=$(az account get-access-token --query accessToken -o tsv)
+echo $TOKEN | jwt decode -
+
+# View OIDC config and supported claims
+export TENANT_ID=""
+curl -s https://login.microsoftonline.com/${TENANT_ID}/v2.0/.well-known/openid-configuration
+```
diff --git a/manifests/platform/cluster-configs/kustomization.yaml b/manifests/platform/cluster-auth/base/kustomization.yaml
similarity index 75%
rename from manifests/platform/cluster-configs/kustomization.yaml
rename to manifests/platform/cluster-auth/base/kustomization.yaml
index d5c9c20..cf30275 100644
--- a/manifests/platform/cluster-configs/kustomization.yaml
+++ b/manifests/platform/cluster-auth/base/kustomization.yaml
@@ -1,4 +1,4 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
-  - authentication.yaml
+  - serviceaccount.yaml
diff --git a/manifests/platform/cluster-auth/base/serviceaccount.yaml b/manifests/platform/cluster-auth/base/serviceaccount.yaml
new file mode 100644
index 0000000..aac38c1
--- /dev/null
+++ b/manifests/platform/cluster-auth/base/serviceaccount.yaml
@@ -0,0 +1,5 @@
+kind: ServiceAccount
+apiVersion: v1
+metadata:
+  name: oauth-reader
+  namespace: openshift-config
diff --git a/manifests/platform/cluster-auth/overlays/okd/authentication.yaml b/manifests/platform/cluster-auth/overlays/okd/authentication.yaml
new file mode 100644
index 0000000..e4301f5
--- /dev/null
+++ b/manifests/platform/cluster-auth/overlays/okd/authentication.yaml
@@ -0,0 +1,39 @@
+apiVersion: config.openshift.io/v1
+kind: Authentication
+metadata:
+  annotations:
+    include.release.openshift.io/ibm-cloud-managed: "true"
+    include.release.openshift.io/self-managed-high-availability: "true"
+    release.openshift.io/create-only: "true"
+  name: cluster
+spec:
+  oauthMetadata:
+    name: ""
+  serviceAccountIssuer: https://storage.googleapis.com/jennweir-homelab
+  type: "OIDC"
+  oidcProviders:
+  - name: azuread
+    issuer:
+      issuerURL: "https://login.microsoftonline.com/<path:projects/648542105177/secrets/azure_tenant_id#azure_tenant_id>/v2.0"
+      audiences:
+        - <path:projects/648542105177/secrets/azure_client_id#azure_client_id>
+    claimMappings:
+      username:
+        claim: "preferred_username"
+    oidcClients:
+      - clientID: <path:projects/648542105177/secrets/azure_client_id#azure_client_id>
+        clientSecret:
+          name: azure-client-secret
+        componentName: console
+        componentNamespace: openshift-console
+        extraScopes:
+        - email
+        - profile
+      - clientID: <path:projects/648542105177/secrets/azure_client_id#azure_client_id>
+        clientSecret:
+          name: azure-client-secret
+        componentName: cli
+        componentNamespace: openshift-console
+        extraScopes:
+        - email
+        - profile
diff --git a/manifests/platform/cluster-auth/overlays/okd/client-secret.yaml b/manifests/platform/cluster-auth/overlays/okd/client-secret.yaml
new file mode 100644
index 0000000..e5c76da
--- /dev/null
+++ b/manifests/platform/cluster-auth/overlays/okd/client-secret.yaml
@@ -0,0 +1,8 @@
+kind: Secret
+apiVersion: v1
+metadata:
+  name: azure-client-secret
+  namespace: openshift-config
+type: Opaque
+stringData:
+  clientSecret: <path:projects/648542105177/secrets/azure_client_secret#azure_client_secret>
diff --git a/manifests/platform/cluster-auth/overlays/okd/kustomization.yaml b/manifests/platform/cluster-auth/overlays/okd/kustomization.yaml
new file mode 100644
index 0000000..8ea426d
--- /dev/null
+++ b/manifests/platform/cluster-auth/overlays/okd/kustomization.yaml
@@ -0,0 +1,7 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - ../../base
+  - authentication.yaml
+  - client-secret.yaml
+  - oauth.yaml
diff --git a/manifests/platform/cluster-configs/authentication.yaml b/manifests/platform/cluster-configs/authentication.yaml
deleted file mode 100644
index d2a5b12..0000000
--- a/manifests/platform/cluster-configs/authentication.yaml
+++ /dev/null
@@ -1,16 +0,0 @@
-apiVersion: config.openshift.io/v1
-kind: Authentication
-metadata:
-  annotations:
-    include.release.openshift.io/ibm-cloud-managed: "true"
-    include.release.openshift.io/self-managed-high-availability: "true"
-    release.openshift.io/create-only: "true"
-  name: cluster
-spec:
-  oauthMetadata:
-    name: ""
-  serviceAccountIssuer: https://storage.googleapis.com/jennweir-homelab
-  type: ""
-  webhookTokenAuthenticator:
-    kubeConfig:
-      name: webhook-authentication-integrated-oauth
diff --git a/terraform/okd/main.tf b/terraform/okd/main.tf
index 3da9e11..e76c544 100644
--- a/terraform/okd/main.tf
+++ b/terraform/okd/main.tf
@@ -1,3 +1,5 @@
+# Google ------------------------------------------------------------------------------------------------------------------
+
 locals {
     wif_pool = "okd-pool"
     wif_provider = "okd-provider"
@@ -149,4 +151,28 @@ resource "google_secret_manager_secret_iam_member" "quay_pull_secret_accessor" {
     secret_id = "quay-jennweir-pull-secret"
     role      = "roles/secretmanager.secretAccessor"
     member    = "principal://iam.googleapis.com/projects/${data.google_project.okd_homelab.number}/locations/global/workloadIdentityPools/${google_iam_workload_identity_pool.okd_pool.workload_identity_pool_id}/subject/system:serviceaccount:argocd:external-secrets"
-}
\ No newline at end of file
+}
+
+# Azure ------------------------------------------------------------------------------------------------------------------
+
+resource "azuread_application" "okd_cluster" {
+    display_name = "okd-cluster"
+    web {
+        redirect_uris = [
+            "https://oauth-openshift.apps.okd.jenniferpweir.com/oauth2callback/Azure_AD",
+            "https://console-openshift-console.apps.okd.jenniferpweir.com/auth/callback",
+        ]
+    }
+}
+
+resource "azuread_service_principal" "okd_cluster" {
+    client_id = azuread_application.okd_cluster.client_id
+}
+
+resource "azuread_application_federated_identity_credential" "okd_cluster_byo_oidc" {
+    application_id = azuread_application.okd_cluster.id
+    display_name   = "okd-cluster-byo-oidc"
+    issuer         = "https://storage.googleapis.com/jennweir-homelab"
+    subject        = "system:serviceaccount:openshift-config:oauth-reader"
+    audiences      = ["api://AzureADTokenExchange"]
+}
diff --git a/terraform/okd/provider.tf b/terraform/okd/provider.tf
index 900f23e..a3f944f 100644
--- a/terraform/okd/provider.tf
+++ b/terraform/okd/provider.tf
@@ -1,4 +1,8 @@
 provider "google" {
-  project = "homelab-mgmt"
+  project = var.homelab_project_id
   region  = "us-east1"
+}
+
+provider "azuread" {
+  tenant_id = var.azure_tenant_id
 }
\ No newline at end of file
diff --git a/terraform/okd/variables.tf b/terraform/okd/variables.tf
new file mode 100644
index 0000000..e273a87
--- /dev/null
+++ b/terraform/okd/variables.tf
@@ -0,0 +1,9 @@
+variable "homelab_project_id" {
+  description = "The GCP project ID for homelab management."
+  type        = string
+}
+
+variable "azure_tenant_id" {
+  description = "The tenant ID for Azure Active Directory."
+  type        = string
+}
diff --git a/terraform/okd/versions.tf b/terraform/okd/versions.tf
index 7b4e429..738141c 100644
--- a/terraform/okd/versions.tf
+++ b/terraform/okd/versions.tf
@@ -8,6 +8,10 @@ terraform {
       source = "hashicorp/google"
       version = "5.42.0"
     }
+    azuread = {
+      source  = "hashicorp/azuread"
+      version = "3.8.0"
+    }
   }
   required_version = ">= 1.1.2"
 }