Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[v10.2.x] Auth: Improve groups claim setup docs for AzureAD #79227

Merged
merged 1 commit into from
Dec 7, 2023
Merged

[v10.2.x] Auth: Improve groups claim setup docs for AzureAD #79227

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
136 changes: 103 additions & 33 deletions ...rces/setup-grafana/configure-security/configure-authentication/azuread/index.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -19,24 +19,7 @@ weight: 800

# Configure Azure AD OAuth2 authentication

The Azure AD authentication allows you to use an Azure Active Directory tenant as an identity provider for Grafana. You can use Azure AD Application Roles to assign users and groups to Grafana roles from the Azure Portal. This topic has the following sections:

- [Configure Azure AD OAuth2 authentication](#configure-azure-ad-oauth2-authentication)
- [Create the Azure AD application](#create-the-azure-ad-application)
- [Assign server administrator privileges](#assign-server-administrator-privileges)
- [Enable Azure AD OAuth in Grafana](#enable-azure-ad-oauth-in-grafana)
- [Configure refresh token](#configure-refresh-token)
- [Configure allowed tenants](#configure-allowed-tenants)
- [Configure allowed groups](#configure-allowed-groups)
- [Configure allowed domains](#configure-allowed-domains)
- [PKCE](#pkce)
- [Configure automatic login](#configure-automatic-login)
- [Team Sync (Enterprise only)](#team-sync-enterprise-only)
- [Common troubleshooting](#common-troubleshooting)
- [Users with over 200 Group assignments](#users-with-over-200-group-assignments)
- [Force fetching groups from Microsoft graph API](#force-fetching-groups-from-microsoft-graph-api)
- [Map roles](#map-roles)
- [Skip organization role sync](#skip-organization-role-sync)
The Azure AD authentication allows you to use an Azure Active Directory tenant as an identity provider for Grafana. You can use Azure AD application roles to assign users and groups to Grafana roles from the Azure Portal.

## Create the Azure AD application

Expand Down Expand Up @@ -66,9 +49,50 @@ To enable the Azure AD OAuth2, register your application with Azure AD.

1. Click **Add** then copy the key value. This is the OAuth client secret.

1. Click **Manifest**, then define the required Application Role values for Grafana: Viewer, Editor, or Admin. If not defined, all users will have the Viewer role. Every role requires a unique ID which you can generate on Linux with `uuidgen`, and on Windows through Microsoft PowerShell with `New-Guid`.
1. Define the required application roles for Grafana [using the Azure Portal](#configure-application-roles-for-grafana-in-the-azure-portal) or [using the manifest file](#configure-application-roles-for-grafana-in-the-manifest-file).

1. Include the unique ID in the configuration file:
1. Go to **Azure Active Directory** and then to **Enterprise Applications**.

1. Search for your application and click it.

1. Click **Users and Groups**.
1. Click **Add user/group** to add a user or group to the Grafana roles.

#### Configure application roles for Grafana in the Azure Portal

This section describes setting up basic application roles for Grafana within the Azure Portal. For more information, see [Add app roles to your application and receive them in the token](https://learn.microsoft.com/en-us/entra/identity-platform/howto-add-app-roles-in-apps).

1. Go to **App Registrations**, search for your application, and click it.

1. Click **App roles** and then **Create app role**.

1. Define a role corresponding to each Grafana role: Viewer, Editor, and Admin.

1. Choose a **Display name** for the role. For example, "Grafana Editor".

1. Set the **Allowed member types** to **Users/Groups**.

1. Ensure that the **Value** field matches the Grafana role name. For example, "Editor".

1. Choose a **Description** for the role. For example, "Grafana Editor Users".

1. Click **Apply**.

#### Configure application roles for Grafana in the manifest file

If you prefer to configure the application roles for Grafana in the manifest file, complete the following steps:

1. Go to **App Registrations**, search for your application, and click it.

1. Click **Manifest** and then click **Edit**.

1. Add a Universally Unique Identifier to each role.

{{% admonition type="note" %}}
Every role requires a [Universally Unique Identifier](https://en.wikipedia.org/wiki/Universally_unique_identifier) which you can generate on Linux with `uuidgen`, and on Windows through Microsoft PowerShell with `New-Guid`.
{{% /admonition %}}

1. Replace each "SOME_UNIQUE_ID" with the generated ID in the manifest file:

```json
"appRoles": [
Expand Down Expand Up @@ -111,9 +135,7 @@ To enable the Azure AD OAuth2, register your application with Azure AD.
],
```

1. Go to **Azure Active Directory** and then to **Enterprise Applications**. Search for your application and click on it.

1. Click on **Users and Groups** and add Users/Groups to the Grafana roles by using **Add User**.
1. Click **Save**.

### Assign server administrator privileges

Expand Down Expand Up @@ -141,7 +163,7 @@ If the setting is set to `false`, the user is assigned the role of `Admin` of th

## Enable Azure AD OAuth in Grafana

1. Add the following to the [Grafana configuration file]({{< relref "../../../configure-grafana#configuration-file-location" >}}):
Add the following to the [Grafana configuration file]({{< relref "../../../configure-grafana#configuration-file-location" >}}):

```
[auth.azuread]
Expand Down Expand Up @@ -170,13 +192,17 @@ GF_AUTH_AZUREAD_CLIENT_ID
GF_AUTH_AZUREAD_CLIENT_SECRET
```

**Note:** Verify that the Grafana [root_url]({{< relref "../../../configure-grafana#root_url" >}}) is set in your Azure Application Redirect URLs.
{{% admonition type="note" %}}
Verify that the Grafana [root_url]({{< relref "../../../configure-grafana#root_url" >}}) is set in your Azure Application Redirect URLs.
{{% /admonition %}}

### Configure refresh token

> Available in Grafana v9.3 and later versions.

> **Note:** This feature is behind the `accessTokenExpirationCheck` feature toggle.
{{% admonition type="note" %}}
This feature is behind the `accessTokenExpirationCheck` feature toggle.
{{% /admonition %}}

When a user logs in using an OAuth provider, Grafana verifies that the access token has not expired. When an access token expires, Grafana uses the provided refresh token (if any exists) to obtain a new access token.

Expand All @@ -201,16 +227,44 @@ allowed_organizations = 8bab1c86-8fba-33e5-2089-1d1c80ec267d

### Configure allowed groups

To limit access to authenticated users who are members of one or more groups, set `allowed_groups`
to a comma- or space-separated list of group object IDs. You can find object IDs for a specific group on the Azure portal:
Azure AD groups can be used to limit user access to Grafana. For more information about managing groups in Azure AD, refer to [Manage Microsoft Entra groups and group membership](https://learn.microsoft.com/en-us/entra/fundamentals/how-to-manage-groups).

To limit access to authenticated users who are members of one or more AzureAD groups, set `allowed_groups`
to a **comma-** or **space-separated** list of group object IDs.

1. Go to **Azure Active Directory -> Groups**. If you want to only give access to members of the group `example` with an ID of `8bab1c86-8fba-33e5-2089-1d1c80ec267d`, then set the following:
1. To find object IDs for a specific group on the Azure portal, go to **Azure Active Directory > Groups**.

You can find the Object Id of a group by clicking on the group and then clicking on **Properties**. The object ID is listed under **Object ID**. If you want to only give access to members of the group `example` with an Object Id of `8bab1c86-8fba-33e5-2089-1d1c80ec267d`, then set the following:

```
allowed_groups = 8bab1c86-8fba-33e5-2089-1d1c80ec267d
allowed_groups = 8bab1c86-8fba-33e5-2089-1d1c80ec267d
```

1. Verify that [group attributes](https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-fed-group-claims#configure-the-azure-ad-application-registration-for-group-attributes) is enabled in your Azure AD Application Registration manifest file by navigating to **Azure Portal** > **Azure Active Directory** > **Application Registrations** > **Select Application** -> **Manifest**, and set the following:
1. You must enable adding the [group attribute](https://learn.microsoft.com/en-us/entra/identity-platform/optional-claims#configure-groups-optional-claims) to the tokens in your Azure AD App registration either [from the Azure Portal](#configure-group-membership-claims-on-the-azure-portal) or [from the manifest file](#configure-group-membership-claim-in-the-manifest-file).

#### Configure group membership claims on the Azure Portal

To ensure that the `groups` claim is included in the token, add the `groups` claim to the token configuration either through the Azure Portal UI or by editing the manifest file.

To configure group membership claims from the Azure Portal UI, complete the following steps:

1. Navigate to the **App Registrations** page and select your application.
1. Select **Token configuration**.
1. Click **Add groups claim** and select the relevant option for your use case (for example, **Security groups** and **Groups assigned to the application**).

For more information, see [Configure groups optional claims](https://learn.microsoft.com/en-us/entra/identity-platform/optional-claims#configure-groups-optional-claims).

{{% admonition type="note" %}}
If the user is a member of more than 200 groups, Azure AD does not emit the groups claim in the token and instead emits a group overage claim. To set up a group overage claim, see [Users with over 200 Group assignments](#users-with-over-200-group-assignments).
{{% /admonition %}}

#### Configure group membership claim in the manifest file

1. Go to **App Registrations**, search for your application, and click it.

1. Click **Manifest** and then click **Edit**.

1. Add the following to the root of the manifest file:

```
"groupMembershipClaims": "ApplicationGroup, SecurityGroup"
Expand Down Expand Up @@ -271,8 +325,24 @@ Azure AD does not emit the groups claim in the token and emits a group overage c
If Grafana receives a token with a group overage claim instead of a groups claim,
Grafana attempts to retrieve the user's group membership by calling the included endpoint.

> Note: The token must include the `GroupMember.Read.All` permission for group overage claim calls to succeed.
> Admin consent may be required for this permission.
{{% admonition type="note" %}}
The 'App registration' must include the `GroupMember.Read.All` API permission for group overage claim calls to succeed.

Admin consent might be required for this permission.
{{% /admonition %}}

#### Configure the required Graph API permissions

1. Navigate to **Azure Active Directory > App registrations** and select your application.
1. Select **API permissions** and then click on **Add a permission**.
1. Select **Microsoft Graph** from the list of APIs.
1. Select **Delegated permissions**.
1. Under the **GroupMember** section, select **GroupMember.Read.All**.
1. Click **Add permissions**.

{{% admonition type="note" %}}
Admin consent may be required for this permission.
{{% /admonition %}}

### Force fetching groups from Microsoft graph API

Expand Down