Warning
🚧 Work in Progress: This page is currently under construction. Content may be incomplete or subject to change. To contribute, see the contribution guide.
ADR-002: Authentication via Microsoft Entra ID
| Field | Value |
|---|---|
| Status | ✅ Accepted |
| Date | 2024 |
| Decision makers | CTO, Head of Infrastructure |
Context
Patria was already using Microsoft 365 as its corporate productivity platform. There was a need to standardize authentication across all internal systems, eliminate local passwords, and centralize access control.
Decision
Adopt Microsoft Entra ID (Azure AD) as the single identity provider (IdP) for all internal systems, with SSO via OAuth 2.0 / OpenID Connect.
Rationale
- Entra ID was already available via M365 license — no additional cost
- SSO improves user experience and reduces scattered passwords
- AD security groups enable granular and auditable access control
- Native integration with GCP (Identity Federation), Azure, and any OIDC-compatible system
Alternatives considered
| Alternative | Why it was not chosen |
|---|---|
| Okta | Additional licensing cost; overlaps with Entra ID already available |
| Auth0 | Additional cost; no advantage over Entra ID in an M365 environment |
| Local per-system management | Insecure, hard to audit, poor UX |
Consequences
- All new internal systems must integrate with Entra ID via OIDC
- Access managed by AD groups — never by individual user
- App Registrations must be documented in azure.md