newAzureAdOidcIdentityProvider()

The newAzureAdOidcIdentityProvider() GraphQL mutation field is used to set up a new Azure AD OIDC IDP. It's a root operation.

Similar to this mutation, you can use newOIDCIdentityProvider() GraphQL to set up a new OIDC identity provider. You can use updateOIDCIdentityProvider() to make changes. Use the oidcIdentityProvider() query to get information on a provider.

For more information on OpenID Connect, see the Authenticate with OpenID Connect documentation page. For more on Azure, see the Service Fabric & LogScale reference page.

API Stability Long-Term

Syntax

graphql

newAzureAdOidcIdentityProvider(
     name: string!,
     tenantId: string!,
     clientID: string!,
     clientSecret: string!,
     domains: [string]!,
     enableDebug: boolean,
     scopeClaim: string
   ): OidcIdentityProvider!

You'll have to provide the unique identifier of the client and tenant, the client secret, and the name of the identity provider. See the Given Datatype section for more.

For the returned values, you can get the authentication method used, some endpoints, and more. See the Returned Datatype section.

Example

Raw

graphql

mutation {
  newAzureAdOidcIdentityProvider( 
     name: "myAzure-IDP",
     tenantId: "123abc",
     clientID: "456efg",
     clientSecret: "MD39xf83M301",
     domains: ["humio"],
     enableDebug: false    
  ) 
  { id }
}

Mac OS or Linux (curl)

shell

curl -v -X POST $YOUR_LOGSCALE_URL/graphql \
    -H "Authorization: Bearer $TOKEN" \
    -H "Content-Type: application/json" \
    -d @- << EOF
{"query" : "mutation {
  newAzureAdOidcIdentityProvider( 
     name: \"myAzure-IDP\",
     tenantId: \"123abc\",
     clientID: \"456efg\",
     clientSecret: \"MD39xf83M301\",
     domains: [\"humio\"],
     enableDebug: false    
  ) 
  { id }
}"
}
EOF

Mac OS or Linux (curl) One-line

shell

curl -v -X POST $YOUR_LOGSCALE_URL/graphql \
    -H "Authorization: Bearer $TOKEN" \
    -H "Content-Type: application/json" \
    -d @- << EOF
{"query" : "mutation {
  newAzureAdOidcIdentityProvider( 
     name: \"myAzure-IDP\",
     tenantId: \"123abc\",
     clientID: \"456efg\",
     clientSecret: \"MD39xf83M301\",
     domains: [\"humio\"],
     enableDebug: false    
  ) 
  { id }
}"
}
EOF

Windows Cmd and curl

shell

curl -v -X POST $YOUR_LOGSCALE_URL/graphql ^
    -H "Authorization: Bearer $TOKEN" ^
    -H "Content-Type: application/json" ^
    -d @'{"query" : "mutation { ^
  newAzureAdOidcIdentityProvider(  ^
     name: \"myAzure-IDP\", ^
     tenantId: \"123abc\", ^
     clientID: \"456efg\", ^
     clientSecret: \"MD39xf83M301\", ^
     domains: [\"humio\"], ^
     enableDebug: false     ^
  )  ^
  { id } ^
}" ^
} '

Windows Powershell and curl

powershell

curl.exe -X POST 
    -H "Authorization: Bearer $TOKEN"
    -H "Content-Type: application/json"
    -d '{"query" : "mutation {
  newAzureAdOidcIdentityProvider( 
     name: \"myAzure-IDP\",
     tenantId: \"123abc\",
     clientID: \"456efg\",
     clientSecret: \"MD39xf83M301\",
     domains: [\"humio\"],
     enableDebug: false    
  ) 
  { id }
}"
}'
    "$YOUR_LOGSCALE_URL/graphql"

Perl

perl

#!/usr/bin/perl

use HTTP::Request;
use LWP;

my $TOKEN = "TOKEN";

my $uri = '$YOUR_LOGSCALE_URL/graphql';

my $query = "mutation {
  newAzureAdOidcIdentityProvider( 
     name: \"myAzure-IDP\",
     tenantId: \"123abc\",
     clientID: \"456efg\",
     clientSecret: \"MD39xf83M301\",
     domains: [\"humio\"],
     enableDebug: false    
  ) 
  { id }
}";
$query =~ s/\n/ /g;
my $json = sprintf('{"query" : "%s"}',$query);
my $req = HTTP::Request->new("POST", $uri );

$req->header("Authorization" => "Bearer $TOKEN");
$req->header("Content-Type" => "application/json");

$req->content( $json );

my $lwp = LWP::UserAgent->new;

my $result = $lwp->request( $req );

print $result->{"_content"},"\n";

Python

python

#! /usr/local/bin/python3

import requests

url = '$YOUR_LOGSCALE_URL/graphql'
mydata = r'''{"query" : "mutation {
  newAzureAdOidcIdentityProvider( 
     name: \"myAzure-IDP\",
     tenantId: \"123abc\",
     clientID: \"456efg\",
     clientSecret: \"MD39xf83M301\",
     domains: [\"humio\"],
     enableDebug: false    
  ) 
  { id }
}"
}'''

resp = requests.post(url,
                     data = mydata,
                     headers = {
   "Authorization" : "Bearer $TOKEN",
   "Content-Type" : "application/json"
}
)

print(resp.text)

Node.js

javascript

const https = require('https');

const data = JSON.stringify(
    {"query" : "mutation {
  newAzureAdOidcIdentityProvider( 
     name: \"myAzure-IDP\",
     tenantId: \"123abc\",
     clientID: \"456efg\",
     clientSecret: \"MD39xf83M301\",
     domains: [\"humio\"],
     enableDebug: false    
  ) 
  { id }
}"
}
);


const options = {
  hostname: '$YOUR_LOGSCALE_URL',
  path: 'graphql',
  port: 443,
  method: 'POST',
  headers: {
    'Content-Type': 'application/json',
    'Content-Length': data.length,
    Authorization: 'BEARER ' + process.env.TOKEN,
    'User-Agent': 'Node',
  },
};

const req = https.request(options, (res) => {
  let data = '';
  console.log(`statusCode: ${res.statusCode}`);

  res.on('data', (d) => {
    data += d;
  });
  res.on('end', () => {
    console.log(JSON.parse(data).data);
  });
});

req.on('error', (error) => {
  console.error(error);
});

req.write(data);
req.end();

Example Responses

Success (HTTP Response Code 200 OK)

json

{
  "data": {
    "newAzureAdOidcIdentityProvider": {
      "id": "abc123"
    }
  }
}

Given Datatype

For the input, you'll have to give the unique identifier of the client and tenant, as well as the client secret, and the name of the identity provider. The table below lists all of the parameters that may be given:

Table: Input Using Standard Datatypes

Parameter	Type	Required	Default	Description
clientID	string	yes		The client's unique identifier.
clientSecret	string	yes		The client secret.
domains	[string]	yes		A list of domains.
enableDebug	boolean		false	Whether to enable debugging.
name	string	yes		The name of the identity provider.
scopeClaim	string			The scope claim.
tenantId	string	yes		The unique identifier of the tenant.

Returned Datatype

You may specify many parameters related to the OIDC identity provider, such as the authentication method used, some endpoints, etc. Below is a list of choices, along with descriptions of them:

Table: OidcIdentityProvider

Parameter	Type	Required	Stability	Description
Some arguments may be required, as indicated in the Required column. For return datatypes, this indicates that you must specify which fields you want returned in the results.
Table last updated: Jun 26, 2025
authenticationMethod	AuthenticationMethodAuth	yes	`Long-Term`	The authentication method used. See AuthenticationMethodAuth.
authorizationEndpoint	string		`Long-Term`	A URL to the endpoint a user should be redirected to when authorizing.
clientId	string	yes	`Long-Term`	The unique identifier for the client.
clientSecret	string	yes	`Long-Term`	The password for the client.
debug	boolean	yes	`Long-Term`	Whether debugging is enabled.
defaultIdp	boolean	yes	`Long-Term`	Whether the identity provider is the default.
domains	[string]	yes	`Long-Term`	The domains authorized by the OIDC identity providers.
federatedIdp	string		`Long-Term`	The Federated IdP.
groupsClaim	string		`Long-Term`	The name of the claim to interpret as the groups in LogScale. The value in the claim must be an array of strings. Optional. Defaults to humio-groups.
humioManaged	boolean	yes	`Long-Term`	Whether authentication is managed by LogScale.
id	string	yes	`Long-Term`	The unique identifier for the OIDC identity provider.
issuer	string	yes	`Long-Term`	The issuer of the OIDC authentication.
jwksEndpoint	string		`Long-Term`	A URL to the JWKS endpoint for retrieving keys for validating tokens. Required.
lazyCreateUsers	boolean	yes	`Long-Term`	Whether to wait to create users until necessary.
name	string	yes	`Long-Term`	The name of the OIDC identity provider.
registrationEndpoint	string		`Long-Term`	To use OIDC as a client, PUBLIC_URL must be set, LogScale must be registered as a client with your OpenID provider, and the provider must allow `%PUBLIC_URL%/auth/oidc` as a valid redirect endpoint for the client.
scopeClaim	string		`Long-Term`	The scope claim.
scopes	[string]	yes	`Long-Term`	Comma-separated list of scopes to add in addition to the default requested scopes (openid, email, and profile).
tokenEndpoint	string		`Long-Term`	A URL to the token endpoint used to exchange a authentication code to an access token. Required for clients.
tokenEndpointAuthMethod	string	yes	`Long-Term`	A URL to the token endpoint used to exchange a authentication code to an access token. Required for clients.
userClaim	string	yes	`Long-Term`	The name of the claim to interpret as username in LogScale. The value in the claim must be a string. Defaults to humio-user. Can be set to email if using emails as usernames.
userInfoEndpoint	string		`Long-Term`	A URL to the user info endpoint used to retrieve user information from an access token.

Versions of this Page

GraphQL Mutations

GraphQL API Stability

GraphQL Queries

GraphQL Datatypes