OIDC configuration for Azure

Describe the problem/error/question

I’m trying to set up OIDC SSO on my self-hosted n8n instance (v2.15) using Microsoft Entra ID (Azure AD) and I can’t get it to work. I’ve followed the official N8N OIDC documentation but I keep hitting errors depending on the configuration.

What I’ve configured in Azure (App Registration):

• Redirect URI: https://n8n.mycompany.com/rest/sso/oidc/callback
• Exposed an API with Application ID URI: api://n8n.mycompany.com
• Created a custom scope n8n → api://n8n.mycompany.com/n8n
• Authorized the app’s own Client ID as an authorized client application for that scope
• API permissions: openid, email, profile, User.Read, n8n (api://n8n.mycompany.com/n8n)
• Discovery endpoint: https://login.microsoftonline.com/{tenant-id}/v2.0/.well-known/openid-configuration

What I’ve configured in n8n:

• Settings → SSO → OIDC
• Filled in: Discovery Endpoint, Client ID, Client Secret
• User role provisioning: Instance Role

What I’ve already checked:

• Redirect URI in Azure matches exactly (no trailing slash, correct casing)
• Discovery Endpoint resolves correctly
• Client ID and Client Secret are correctly copied
• Server time is in sync

What is the error message?

Error — When “User role provisioning” is set to anything other than “Managed in n8n”:

AADSTS650053: The application 'n8n.mycompany.com SSO' asked for scope 'n8n'
that doesn't exist on the resource '00000003-0000-0000-c000-000000000000'.
Contact the app vendor.

n8n seems to hardcode a bare n8n scope in the OIDC request. Azure interprets this as a Microsoft Graph scope, which doesn’t exist. There is no UI field or documented environment variable to override it with the full api://n8n.mycompany.com/n8n format that Azure requires.

My questions:

1. Is there an environment variable to control which scopes n8n requests? (e.g. N8N_SSO_OIDC_SCOPE)
2. Has anyone successfully set up OIDC with Microsoft Entra ID on a recent n8n version? What did your Azure config look like?
3. I’ve missed something?

Information on your n8n setup

• n8n version: 2.15
• Database (default: SQLite): PostgreSQL
• n8n EXECUTIONS_PROCESS setting (default: own, main): main
• Running n8n via (Docker, npm, n8n cloud, desktop app): kubeadm
• Operating system: Ubuntu

Any help would be greatly appreciated. Thanks!

welcome to the n8n community @Lionel_Magan
for Microsoft Entra ID, I would set User role provisioning to Managed in n8n first and get basic OIDC login working before trying role provisioning, because n8n’s OIDC docs say that any provisioning mode other than Managed in n8n requires an additional OIDC scope literally named n8n plus the n8n_instance_role and n8n_projects claims in the ID token, and I couldn’t find a documented n8n setting to override that requested scope to a custom Azure api://…/n8n scope.

Hi @tamy.santos and @Benjamin_Behrens, thank you both for your time and help!

Since this seems to be an actual bug or a missing feature (the hardcoded n8n scope issue with (Azure AD), I would like to officially report it to the team. Do you know what is the standard procedure for this?

Should I open an issue on GitHub, create a specific bug report here on the forum, or since I have a paid license, is there a dedicated support channel I should use to escalate this?

Thanks again!

I’d open an issue on github Issues · n8n-io/n8n

@Lionel_Magan since you have a paid license just email help@n8n.io directly, they prioritize licensed users over github issues. also check if your app registration has the id_token grant enabled under Authentication → Implicit and hybrid flows in Entra, OIDC won’t return claims properly without it