![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(134.4, 36%, 23%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EPK%3C/text%3E%3C/svg%3E)
Microsoft Security | Microsoft Entra | Microsoft Entra ID
A cloud-based identity and access management service for securing user authentication and resource access
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(201.6, 99%, 29%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ER%3C/text%3E%3C/svg%3E)
Azure supports private_key_jwt as a client authentication method in scenarios where Azure is the client authenticating to another identity provider, not as a general-purpose, UI-configurable option for validating arbitrary clients’ JWT assertions when Azure Entra ID is acting as the IdP in an interactive (UI) user flow.
From the available information:
-
private_key_jwtis supported as a client authentication method for applications using certificate-based credentials, as described for the Microsoft identity platform. In this pattern, an application presents a JWT assertion signed with its certificate to Azure Entra ID in flows such as client credentials or on-behalf-of. This is an app-to-IdP pattern, not a configurable “bring your own JWKS URL” for arbitrary external clients in a UI flow. - In other Azure scenarios where an external OpenID Connect provider is configured (for example, when Azure is the relying party to an external IdP),
private_key_jwtis supported as a client authentication method from Azure to that external IdP, with the public key exposed via the external provider’sjwks_uri. Again, this is Azure acting as the client, not as the IdP validating external clients’ keys via a configurable JWKS URL.
Given the context, there is no documented mechanism where Azure Entra ID, acting as the IdP for an interactive web UI flow, allows configuration of a JWKS URL so that it can dynamically fetch and validate private_key_jwt assertions from arbitrary client organizations.
Therefore, for UI-based integrations where Azure Entra ID is the IdP and must authenticate clients at the token endpoint, the recommended and supported patterns are the standard Microsoft identity platform flows and credential types:
- Use the authorization code flow (with PKCE for public clients) for user sign-in and token acquisition.
- Use supported client authentication methods for confidential clients registered in Entra ID (for example, client secrets or certificate credentials) rather than attempting to have Entra ID validate a
private_key_jwtbased on an externally hosted JWKS URL.
Where private_key_jwt is required, the supported pattern is to use it in the direction documented: the application (or Azure as a client to another IdP) presents a JWT assertion signed with a certificate it owns, as described in the certificate credentials guidance and in the OpenID Connect client authentication specification.
References:
- Microsoft identity platform application authentication certificate credentials
- Authentication flow support in the Microsoft Authentication Library (MSAL)
- Add OpenID Connect as an external identity provider
- Use Microsoft Entra MFA with an external MFA provider
- Manage an external multifactor authentication method in Microsoft Entra ID