diff --git a/roles/authentik/defaults/main.yml b/roles/authentik/defaults/main.yml
index e809299..8213b4d 100644
--- a/roles/authentik/defaults/main.yml
+++ b/roles/authentik/defaults/main.yml
@@ -73,4 +73,28 @@ authentik_oidc_apps: []
 
 authentik_blueprint_env: []
 # GRAFANA_OIDC_CLIENT_ID: "grafana"
-# GRAFANA_OIDC_CLIENT_SECRET: "{{ vault_grafana_oidc_secret }}"
\ No newline at end of file
+# GRAFANA_OIDC_CLIENT_SECRET: "{{ vault_grafana_oidc_secret }}"
+# ENTRA_TENANT_ID: "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
+# ENTRA_CLIENT_ID: "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
+# ENTRA_CLIENT_SECRET: "{{ vault_entra_client_secret }}"
+
+# Oauth sources
+authentik_entra_sources: []
+#  - slug: entra-id
+#    name: "Login with Entra"
+#    tenant_mode: single  # single | common
+#    tenant_id_env: ENTRA_TENANT_ID
+#    client_id_env: ENTRA_CLIENT_ID
+#    client_secret_env: ENTRA_CLIENT_SECRET
+#    scopes:
+#      - openid
+#      - profile
+#      - email
+#      # add only if you really need group sync on login:
+#      # - https://graph.microsoft.com/GroupMember.Read.All
+
+
+# Show Entra on login screen:
+authentik_login_source_ids: []
+# - "source-entra-entra-id"
+authentik_identification_stage_name: default-authentication-identification
diff --git a/roles/authentik/tasks/main.yml b/roles/authentik/tasks/main.yml
index 69fedb7..fa5caed 100644
--- a/roles/authentik/tasks/main.yml
+++ b/roles/authentik/tasks/main.yml
@@ -62,6 +62,21 @@
   loop: "{{ authentik_proxy_outposts }}"
   register: outpost_bp
 
+- name: Render Entra source blueprints
+  ansible.builtin.template:
+    src: blueprints/blueprint-source-entra.yaml.j2
+    dest: "{{ authentik_docker_volume_dir }}/blueprints/20-source-entra-{{ item.slug }}.yaml"
+    mode: "0644"
+  loop: "{{ authentik_entra_sources }}"
+  register: entra_bp
+
+- name: Render login stage sources blueprint
+  ansible.builtin.template:
+    src: blueprints/blueprint-login-sources.yaml.j2
+    dest: "{{ authentik_docker_volume_dir }}/blueprints/21-login-sources.yaml"
+    mode: "0644"
+  register: login_bp
+
 - name: Create docker-compose file for authentik
   template:
     src: docker-compose.yml.j2
@@ -78,5 +93,7 @@
          (oidc_templates is defined and (oidc_templates.results | selectattr('changed') | list | length > 0))
          or (proxy_templates is defined and (proxy_templates.results | selectattr('changed') | list | length > 0))
          or (outpost_bp is defined and (outpost_bp.results | selectattr('changed') | list | length > 0))
+         or (entra_bp is defined and (entra_bp.results | selectattr('changed') | list | length > 0))
+         or (login_bp is defined and login_bp.changed)
         ) | ternary('always','auto')
       }}
diff --git a/roles/authentik/templates/blueprints/blueprint-login-sources.yaml.j2 b/roles/authentik/templates/blueprints/blueprint-login-sources.yaml.j2
new file mode 100644
index 0000000..9a7b76d
--- /dev/null
+++ b/roles/authentik/templates/blueprints/blueprint-login-sources.yaml.j2
@@ -0,0 +1,18 @@
+# yaml-language-server: $schema=https://goauthentik.io/blueprints/schema.json
+version: 1
+metadata:
+  name: "login-sources"
+  labels:
+    blueprints.goauthentik.io/instantiate: "true"
+    blueprints.goauthentik.io/description: "Set sources on the identification stage"
+
+entries:
+  - model: authentik_stages_identification.identificationstage
+    identifiers:
+      name: "{{ authentik_identification_stage_name }}"
+    attrs:
+      # NOTE: this SETS the sources list (it doesn’t append).
+      sources:
+{% for src_id in authentik_login_source_ids %}
+        - !KeyOf {{ src_id }}
+{% endfor %}
diff --git a/roles/authentik/templates/blueprints/blueprint-source-entra.yaml.j2 b/roles/authentik/templates/blueprints/blueprint-source-entra.yaml.j2
new file mode 100644
index 0000000..acab07b
--- /dev/null
+++ b/roles/authentik/templates/blueprints/blueprint-source-entra.yaml.j2
@@ -0,0 +1,40 @@
+# yaml-language-server: $schema=https://goauthentik.io/blueprints/schema.json
+version: 1
+metadata:
+  name: "source-entra-{{ item.slug }}"
+  labels:
+    blueprints.goauthentik.io/instantiate: "true"
+    blueprints.goauthentik.io/description: "Microsoft Entra ID OAuth source ({{ item.slug }})"
+
+entries:
+  - model: authentik_sources_oauth.oauthsource
+    id: source-entra-{{ item.slug }}
+    identifiers:
+      slug: {{ item.slug }}
+    attrs:
+      name: "{{ item.name | default('Microsoft Entra ID') }}"
+      slug: {{ item.slug }}
+
+      # Authentik’s OAuth sources support vendor-specific types.
+      # Entra guide calls it “Entra ID OAuth Source”.
+      provider_type: entraid
+
+      consumer_key: !Env {{ item.client_id_env }}
+      consumer_secret: !Env {{ item.client_secret_env }}
+
+      scopes:
+{% for s in (item.scopes | default(['openid','profile','email'])) %}
+        - {{ s }}
+{% endfor %}
+
+{% if (item.tenant_mode | default('single')) == 'single' %}
+      authorization_url: !Format ["https://login.microsoftonline.com/%s/oauth2/v2.0/authorize", !Env {{ item.tenant_id_env }}]
+      access_token_url: !Format ["https://login.microsoftonline.com/%s/oauth2/v2.0/token", !Env {{ item.tenant_id_env }}]
+      profile_url: "https://graph.microsoft.com/v1.0/me"
+      oidc_jwks_url: !Format ["https://login.microsoftonline.com/%s/discovery/v2.0/keys", !Env {{ item.tenant_id_env }}]
+{% else %}
+      authorization_url: "https://login.microsoftonline.com/common/oauth2/v2.0/authorize"
+      access_token_url: "https://login.microsoftonline.com/common/oauth2/v2.0/token"
+      profile_url: "https://graph.microsoft.com/v1.0/me"
+      oidc_jwks_url: "https://login.microsoftonline.com/common/discovery/v2.0/keys"
+{% endif %}