diff --git a/src/Model/Types/Auth.hs b/src/Model/Types/Auth.hs
index add176291..c1704c7bc 100644
--- a/src/Model/Types/Auth.hs
+++ b/src/Model/Types/Auth.hs
@@ -75,7 +75,7 @@ type UserEduPersonPrincipalName = Text
 -- | Used for uniquely storing ExternalUser entries per user and source
 data AuthSourceIdent
   = AuthSourceIdAzure
-    { authSourceIdAzureClientId :: UUID
+    { authSourceIdAzureClientId :: UUID -- FIXME: use tenant id instead
     }
   | AuthSourceIdLdap
     { authSourceIdLdapHost :: Text -- normally either just the hostname, or hostname and port
diff --git a/src/Settings.hs b/src/Settings.hs
index 9aa46f6b1..238d21791 100644
--- a/src/Settings.hs
+++ b/src/Settings.hs
@@ -155,6 +155,11 @@ data UserAuthConf =
   -- | UserAuthConfNoSource -- ^ allow no external sources at all -- TODO: either this, or make user-auth in settings.yml optional
   deriving (Show)
 
+mkAuthSourceIdent :: AuthSourceConf -> AuthSourceIdent
+mkAuthSourceIdent = \case
+  AuthSourceConfAzureAdV2 AzureConf{..} -> AuthSourceIdAzure azureConfClientId
+  AuthSourceConfLdap      LdapConf{..}  -> AuthSourceIdLdap  ldapConfSourceId
+
 data LmsConf = LmsConf
   { lmsUploadHeader       :: Bool
   , lmsUploadDelimiter    :: Maybe Char