diff --git a/.env.sample b/.env.sample
index ffe1c2c..d4e4b04 100644
--- a/.env.sample
+++ b/.env.sample
@@ -58,6 +58,17 @@ COMPOSE_FILE="compose.yml"
 #DIGITALOCEAN_ENABLED=1
 #SECRET_DIGITALOCEAN_AUTH_TOKEN_VERSION=v1
 
+## Azure, https://azure.com
+## To insert your Azure client secret:
+## abra app secret insert {myapp.example.coop} azure_secret v1 "<CLIENT_SECRET>"
+#COMPOSE_FILE="$COMPOSE_FILE:compose.azure.yml"
+#AZURE_ENABLED=1
+#AZURE_TENANT_ID=
+#AZURE_CLIENT_ID=
+#AZURE_SUBSCRIPTION_ID=
+#AZURE_RESOURCE_GROUP=
+#SECRET_AZURE_SECRET_VERSION=v1
+
 #####################################################################
 # Manual wildcard certificate insertion                             #
 #####################################################################
diff --git a/compose.azure.yml b/compose.azure.yml
new file mode 100644
index 0000000..4faf82c
--- /dev/null
+++ b/compose.azure.yml
@@ -0,0 +1,17 @@
+version: "3.8"
+
+services:
+  app:
+    environment:
+      - AZURE_TENANT_ID
+      - AZURE_CLIENT_ID
+      - AZURE_SUBSCRIPTION_ID
+      - AZURE_RESOURCE_GROUP
+      - AZURE_CLIENT_SECRET_FILE=/run/secrets/azure_secret
+    secrets:
+      - azure_secret
+
+secrets:
+  azure_secret:
+    name: ${STACK_NAME}_azure_secret_${SECRET_AZURE_CLIENT_SECRET_VERSION}
+    external: true
diff --git a/entrypoint.sh.tmpl b/entrypoint.sh.tmpl
index f4e6232..8da044b 100644
--- a/entrypoint.sh.tmpl
+++ b/entrypoint.sh.tmpl
@@ -11,4 +11,8 @@ export OVH_APPLICATION_SECRET=$(cat "$OVH_APPLICATION_SECRET_FILE")
 export DO_AUTH_TOKEN=$(cat "$DO_AUTH_TOKEN_FILE")
 {{ end }}
 
+{{ if eq (env "AZURE_ENABLED") "1" }}
+export AZURE_CLIENT_SECRET=$(cat "$AZURE_CLIENT_SECRET_FILE")
+{{ end }}
+
 /entrypoint.sh "$@"