User is missing the Overall/Read permission

[mvalenzisi]

Jenkins and plugins versions report

Environment

OS: Linux - 4.15.0-1113-azure
---
ace-editor:1.1
analysis-model-api:10.9.1
ansible:1.1
ansicolor:1.0.1
ant:1.13
antisamy-markup-formatter:2.7
apache-httpcomponents-client-4-api:4.5.13-1.0
artifactory:3.15.4
authentication-tokens:1.4
authorize-project:1.4.0
azure-ad:191.vfc8019068670
azure-cli:0.9
azure-credentials:198.vf9c2fdfde55c
azure-sdk:85.v4817a_b_8a_7124
basic-branch-build-strategies:1.3.2
blueocean:1.25.2
blueocean-autofavorite:1.2.5
blueocean-bitbucket-pipeline:1.25.2
blueocean-commons:1.25.2
blueocean-config:1.25.2
blueocean-core-js:1.25.2
blueocean-dashboard:1.25.2
blueocean-display-url:2.4.1
blueocean-events:1.25.2
blueocean-git-pipeline:1.25.2
blueocean-github-pipeline:1.25.2
blueocean-i18n:1.25.2
blueocean-jira:1.25.2
blueocean-jwt:1.25.2
blueocean-personalization:1.25.2
blueocean-pipeline-api-impl:1.25.2
blueocean-pipeline-editor:1.25.2
blueocean-pipeline-scm-api:1.25.2
blueocean-rest:1.25.2
blueocean-rest-impl:1.25.2
blueocean-web:1.25.2
bootstrap4-api:4.6.0-3
bootstrap5-api:5.1.3-4
bouncycastle-api:2.25
branch-api:2.7.0
build-monitor-plugin:1.13+build.202201311821
build-user-vars-plugin:1.8
build-with-parameters:1.6
caffeine-api:2.9.2-29.v717aac953ff3
checks-api:1.7.2
chromedriver:1.2
cloudbees-bitbucket-branch-source:751.vda_24678a_f781
cloudbees-credentials:3.3
cloudbees-folder:6.17
command-launcher:1.6
conditional-buildstep:1.4.1
config-file-provider:3.9.0
configuration-as-code:1346.ve8cfa_3473c94
copyartifact:1.46.2
credentials:1074.v60e6c29b_b_44b_
credentials-binding:1.27.1
data-tables-api:1.11.3-6
display-url-api:2.3.5
docker-commons:1.19
docker-workflow:1.28
durable-task:493.v195aefbb0ff2
echarts-api:5.2.2-2
embeddable-build-status:2.0.3
extended-choice-parameter:0.82
extended-read-permission:3.2
external-monitor-job:191.v363d0d1efdf8
favorite:2.3.3
font-awesome-api:5.15.4-5
forensics-api:1.7.0
gatling:1.3.0
git:4.10.3
git-client:3.11.0
git-parameter:0.9.15
git-server:1.10
github:1.34.1
github-api:1.301-378.v9807bd746da5
github-branch-source:2.11.4
github-pullrequest:0.4.0
google-oauth-plugin:1.0.6
gradle:1.38
handlebars:3.0.8
handy-uri-templates-2-api:2.1.8-1.0
htmlpublisher:1.29
http_request:1.14
ivy:2.1
jackson2-api:2.13.1-246.va8a9f3eaf46a
jacoco:3.3.1
javadoc:217.v905b_86277a_2a_
javax-activation-api:1.2.0-2
javax-mail-api:1.6.2-5
jaxb:2.3.0.1
jdk-tool:1.5
jenkins-design-language:1.25.2
jira:3.6
jjwt-api:0.11.2-9.c8b45b8bb173
jnr-posix-api:3.1.7-1
jquery:1.12.4-1
jquery-detached:1.2.1
jquery3-api:3.6.0-2
jsch:0.1.55.2
junit:1.54
kubernetes:1.31.3
kubernetes-client-api:5.11.2-182.v0f1cf4c5904e
kubernetes-credentials:0.9.0
liquibase-runner:1.4.10
locale:1.4
lockable-resources:2.14
m2release:0.16.2
mailer:408.vd726a_1130320
matrix-auth:3.0.1
matrix-project:1.20
maven-plugin:3.16
metrics:4.0.2.8.1
momentjs:1.1.1
netsparker-cloud-scan:2.1.4
oauth-credentials:0.5
okhttp-api:4.9.3-105.vb96869f8ac3a
pam-auth:1.7
parameter-separator:1.3
parameterized-scheduler:1.0
parameterized-trigger:2.43
pipeline-build-step:2.15
pipeline-github-lib:36.v4c01db_ca_ed16
pipeline-graph-analysis:188.v3a01e7973f2c
pipeline-input-step:446.vf27b_0b_83500e
pipeline-milestone-step:100.v60a_03cd446e1
pipeline-model-api:1.9.3
pipeline-model-definition:1.9.3
pipeline-model-extensions:1.9.3
pipeline-multibranch-defaults:2.1
pipeline-rest-api:2.21
pipeline-stage-step:291.vf0a8a7aeeb50
pipeline-stage-tags-metadata:1.9.3
pipeline-stage-view:2.21
pipeline-utility-steps:2.12.0
plain-credentials:1.8
plugin-util-api:2.13.0
popper-api:1.16.1-2
popper2-api:2.11.2-1
prism-api:1.25.0-2
pubsub-light:1.16
resource-disposer:0.17
role-strategy:3.2.0
run-condition:1.5
saml:2.1.1-275.va_5718591a_999
scm-api:595.vd5a_df5eb_0e39
script-security:1131.v8b_b_5eda_c328e
slack:602.v0da_f7458945d
snakeyaml-api:1.29.1
sonar:2.14
sse-gateway:1.25
ssh-agent:1.24.1
ssh-credentials:1.19
ssh-slaves:1.33.0
sshd:3.1.0
structs:308.v852b473a2b8c
thinBackup:1.10
timestamper:1.17
token-macro:270.v8c2ce50dc4fc
trilead-api:1.0.13
variant:1.4
violation-comments-to-github:1.95
warnings-ng:9.11.0
windows-azure-storage:368.v7443dd3deffe
windows-slaves:1.8
workflow-aggregator:2.6
workflow-api:1136.v7f5f1759dc16
workflow-basic-steps:2.24
workflow-cps:2648.va9433432b33c
workflow-cps-global-lib:552.vd9cc05b8a2e1
workflow-durable-task-step:1121.va_65b_d2701486
workflow-job:1145.v7f2433caa07f
workflow-multibranch:706.vd43c65dec013
workflow-scm-step:2.13
workflow-step-api:622.vb_8e7c15b_c95a_
workflow-support:813.vb_d7c3d2984a_0
ws-cleanup:0.40

What Operating System are you using (both controller, and any agents involved in the problem)?

Ubuntu 16.04.7 LTS (GNU/Linux 4.15.0-1113-azure x86_64)

Reproduction steps

1. Upgrade the Azure AD plugin to version 191.vfc8019068670
2. Some users are missing the group membership.
   The affected users don't have any group associated in Jenkins, while in Azure AD the groups are assigned.

Expected Results

All users should have the proper AD groups in Jenkins.

Actual Results

Some users are missing the group membership.

Anything else?

Downgrade to version 189.v2da14dccdb43 fixed the issue.

[timja]

I can't see anything in 191 that would cause this.

Can you provide information to allow this to be reproduced from scratch?
JobDSL / configuration as code and Azure CLI scripts would be preferred.

[mvalenzisi]

The problem is that I also wouldn't know how to reproduce the problem from scratch.
The only thing that I know is that one user was missing the groups after the plugin upgrade.
I would assume that something within the user is causing the plugin to fail to retrieve the groups.

If you can tell me precisely what do you need me to share, I would be happy to do.

[timja]

I don't know unfortunately, these ones can be hard to figure out.

If I can't reproduce it, likely can't fix it

[mvalenzisi]

I don't see any particular change from version 189.v2da14dccdb43 that could cause the problem (189.v2da14dccdb43...191.vfc8019068670),
except for the matrix-auth plugin (jenkinsci/matrix-auth-plugin@matrix-auth-3.0...matrix-auth-3.0.1)

[timja]

Just annotation and icon changes there

[justcttseng]

we also have this problem with Azure AD and Role-Based Strategy. It was ok with a principal name before updating. After updating, we have to use objectID to assign roles.

[KalleOlaviNiemitalo]

@justcttseng, are you using the latest version 195.v8555a0bf0d22, which includes #197?

[justcttseng]

@KalleOlaviNiemitalo yes now we are using the latest version 195.v8555a0bf0d22. We updated all plugins and jenkins this week. After updating, I didn't have Overall/Read permission. I had to disable the security policy and add my objectID to Global Roles.

[CptPlastic]

This has broken us also. Something to do with the matrix authorization strategy.

[timja]

Please provide your config @CptPlastic

[CptPlastic]

Please provide your config @CptPlastic

I noticed they changed this https://plugins.jenkins.io/matrix-auth/

Now when I look at users added from the azure ad / matrix I see USER:username or EITHER:username

However, when I add a user by email it's not showing the same icon or it won't save. We are not using graph-api and have that box checked to disable ( login via azure works fine ). I am going to try some more in the morning to fix this in hopes I don't have to redo everyone's permissions. If anyone has any ideas ill give it a go and report back here if I find out how to make this upgrade work.

[jcalais]

We are using "role-based authorization" for authorization, so this may not be applicable in this issue, but we are facing a similar issue: We can only grant access to Azure AD authenticated people if we use the object id (oid) when assigning permissions. I've been testing with admin permissions to make things easy and simple.

I've tried all iterations I can think of in the [assignedSIDs][sid][/sid][/assignedSIDs] -block in config.xml, but nothing except the oid seems to work. I've also verified that the "preferred_username" claim is present in the id token from Azure AD.

Here are the sid -formats I've tried:

ext.firstname.lastname@domain.com
ext.firstname.lastname
ext.firstname.lastname (ext.firstname.lastname@domain.com)
EXT Lastname Firstname (visible in the upper right corner when logged in).

I've also tried the verification tool (Test user principal name or object id) in "configure global security" and that one works well with ext.firstname.lastname@domain.com.

Plugin version: 218.v90f6a_980b_a_61 (https://plugins.jenkins.io/azure-ad)
We just started testing the Azure ad plugin some 30 days ago, so we have never seen it working with preferred username.

[mwebber]

I can confirm what @justcttseng and @jcalais reported (oid required when using Role-based Authorization Strategy).

I have some more context, if it will help. We have been successfully using the Azure AD plugin for some time. With the latest Azure AD plugin version, it doesn't work.

Basic Configuration

• On Manage Jenkins / Configure Global Security
  For Security Realm we use Azure Active Directory.
  For Authorization we use Role-Based Strategy
• On Manage Jenkins / Manage and Assign Roles / Assign Roles
  User/group entries are just the email address.

We do not use Azure groups (azure-ad Disable graph integration option selected)

Important note on email address format

If I go to Dashboard / People and display the entry for an AAD user (i.e. not someone from a commit message), it looks like this:

Azure Active Directory User
Unique Principal Name: Xxxxxx.Yyyyyy@zzz.com
Email: Xxxxxx.Yyyyyy@zzz.com
Object ID: 11111111-2222-3333-4444-555555555555
Tenant ID: 11111111-2222-3333-4444-666666666666
Groups: []
Jenkins User ID: xxxxxx.yyyyyy@zzz.com

Notice that the email as provided by AAD has the name capitalized, but the Jenkins User ID has it as all lower case.

We found that when we add users to roles (Role-Based Strategy) at Manage Jenkins / Manage and Assign Roles / Assign Roles, it is important to identify the user correctly, with the correct capitalization from the AAD entry, not the Jenkins User ID.

Here are the various scenarios:

Plugin version set 1 (old Azure, old Role-based, old Matrix auth) - works

Azure AD azure-ad:185.v3b416408dcb1
Role-based Authorization Strategy role-strategy:3.2.0
Matrix Authorization Strategy matrix-auth:2.6.8

matrix-auth is there, because at this point, both azure-ad and role-strategy depend on it.

This is before the changes, that were made to a number of plugins, to extend the formats for permission assignments internally, to differentiate between users and groups.

Everything works.

Plugin version set 2 (old Azure, new Role-based, new Matrix auth) - works

azure-ad is not updated.
role-strategy is updated to remove the dependency on matrix-auth.
matrix-auth is updated to extend the formats for permission assignments internally, to differentiate between users and groups.

Azure AD azure-ad:185.v3b416408dcb1
Role-based Authorization Strategy role-strategy:484.v8a_a_e4b_d785fd
Matrix Authorization Strategy matrix-auth:3.1.2

Everything works, and I see no change in the web UI. Of course, although matrix-auth has been updated (and is required by azure-ad), we don't use matrix-auth.

Plugin version set 3 (new Azure, new Role-based, new Matrix auth) - fails

Prior to the update, I added an entry to Manage Jenkins / Manage and Assign Roles / Assign Roles so that in addition to the original Xxxxxx.Yyyyyy@zzz.com entry, there was also one for USER:Xxxxxx.Yyyyyy@zzz.com

azure-ad is updated to extend the formats for permission assignments internally

Azure AD azure-ad:218.v90f6a_980b_a_61
Role-based Authorization Strategy role-strategy:484.v8a_a_e4b_d785fd
Matrix Authorization Strategy matrix-auth:3.1.2

At this point, when I (an administrator) log in, I see Xxxxxx.Yyyyyy@zzz.com is missing the Overall/Read permission.
I need to revert azure-ad in order to be able to do anything.

Re-test using object id
I added an entry to Manage Jenkins / Manage and Assign Roles / Assign Roles so that in addition to the original Xxxxxx.Yyyyyy@zzz.com and USER:Xxxxxx.Yyyyyy@zzz.com entries, there was one for the same person 11111111-2222-3333-4444-555555555555 (the Azure AD object id).

Now when I updated azure-ad to the latest version azure-ad:218.v90f6a_980b_a_61, when I (an administrator) log in, everything works as expected.

Conclusions

I'm not sure whether this is an issue with this plugin (azure-ad) or the Role-Based Strategy plugin (role-strategy). Maybe both.
The problem is that listing users by email address is readable by a human; listing users by oid is not.

[jcalais]

I finally had time to test what @mwebber wrote. I can confirm that we have been able to replicate his findings:

1. First I downgraded azure-ad to version 195.v8555a0bf0d22. This didn't make any difference and only using oid I was able to authorize Azure AD users.
2. I then downgraded to azure-ad version 185.v3b416408dcb1. This does work and is a usable alternative to us. I didn't test any of the intermediary versions between the two mentioned and I also know that the newest version (218.v90f6a_980b_a_61) does not work, just like previously reported.

All this was done using the role-based authentication model.

[timja]

User principal name is fixed with #249

Group name I'll take a look at later on but for now group IDs work which are safer as groups are not unique in Azure AD.

[mwebber]

Thanks @timja, I've just upgraded to 233.v934e074916c7 (from 185.v3b416408dcb1) and everything seems to be working fine.

For reference, we are using Role-based Authorization Strategy role-strategy:488.v0634ce149b_8c, and I did not need to make any changes under Manage Jenkins / Manage and Assign Roles / Assign Roles

So the 'User/group' is just the user's AAD Principal Name (looks like their email); we did not need to add a prefix of USER:.
We don't use groups.

[timja]

everything seems to be working fine.

Yeah there's at least 2 issues in this so I've left it open for now for when I get a chance to do the other one

we did not need to add a prefix of USER:

Prefixes aren't supported yet in that plugin.

[sarg3nt]

@timja
We have two problems:

1. Not sure if this is related or not, but we've discovered that users added cannot use the API to call /build on any endpoint. Error is user is "missing the Job/Build permission" This is when I add the user with that permission, any permissions including full admin.
   When I add the user via an AD security group it works fine.
   We are adding the user with their UPN and ID
   So it looks like this
   "Bob Smith (33dab66e-7b4a-4d2d-b324-e95ba1adc0c1)" (fake user)
   Adding via JCasC but also does not work when I'm using the UI
   We are on Jenkins 2.332.3 jdk 11 and Azure AD plugin 218.v90f6a_980b_a_61
   I tried Azure Ad 233.v934e074916c7 but that both did not fix our problem and it broke our Service account (see below)

2 We get the following error with the svc account, which is in Azure AD and worked fine with 218

svc_jenkins@ad.mycompany.com (c24ab20a-a2a3-43d8-b420-f1ffb8c1deac)
java.lang.IllegalArgumentException: A granted authority textual representation is required
at org.springframework.util.Assert.hasText(Assert.java:289) etc
Note: I changed the account and UID for security reasons.

[sarg3nt]

@timja as a followup to my above comments. We created security groups for the users and added those. Didn't work at first but after fifteen minutes or so the user could use the API.
Under the People section in jenkins some users are listed more than one. The one I was working with was listed 4 times, each with a variate on their username and id

Two of the accounts had builds associated with them.
We've only ever used the Azure AD plugin for these Jenkins instances. No idea why users are showing up multiple times

[timja]

The users showing multiple times is likely a symptom of the git plugin helpfully creating accounts.
An older feature which isn't really useful these days from what I know.

[timja]

1. It seems to work for me at least doing the check I normally do which is whoAmI

curl -u adelev@timja2.onmicrosoft.com:**APITOKEN** http://localhost:6322/jenkins/whoAmI/api/json | jq

Shows the correct authorities to me

2. can you provide more details about the service account? anything that is different?

[timja]

Hey everyone

#250 will close this issue.

If you're still having problems afterwards can you create a new issue with clear steps to reproduce please and as much info about your users, e.g.:

• are they guests or regular users?
• which authorization strategy is in use?
• are you have trouble with groups or directly added users?

[sarg3nt]

curl -u adelev@timja2.onmicrosoft.com:APITOKEN http://localhost:6322/jenkins/whoAmI/api/json | jq

@timja
I'm testing this more on a test instance of Jenkins and am having the same issue.
When I run
curl -u dave_sargent@selinc.com:<redacted> https://test.build.ad.selinc.com/whoAmI/api/json | jq
I receive the same results weather I'm added as a user or via an AD group
See the bottom of this post for what I get back.
However, when added as a user I cannot call /build on a job
curl -X POST -u "dave_sargent@selinc.com:<redacted>" "https://test.build.ad.selinc.com/job/local-test-job/build"
I get HTML back with error
<h1>Access Denied</h1><p class="error">Dave_Sargent@selinc.com is missing the Overall/Read permission
Which my user has.
We add permissions via JCasC with Terraform, that section of the template looks like this

 %{ for user in usersBuild }
  - "USER:Job/Build:${user}"
  - "USER:Job/Cancel:${user}"
  - "USER:Job/Discover:${user}"
  - "USER:Job/Read:${user}"
  - "USER:Job/Workspace:${user}"
  - "USER:Overall/Read:${user}"
  - "USER:Run/Replay:${user}"
  - "USER:Run/Update:${user}"
  - "USER:View/Read:${user}"
  %{ endfor }

Here is the output from Whoami

{
  "_class": "hudson.security.WhoAmI",
  "anonymous": false,
  "authenticated": true,
  "authorities": [
    "92974602-8787-4e9a-bcec-33337754ad61",
    "92974602-8787-4e9a-bcec-33337754ad61",
    "806f0103-0040-4df3-83b8-0d220d31007e",
    "806f0103-0040-4df3-83b8-0d220d31007e",
    "2ab02403-9eea-4977-9ffc-6124b1ef15ef",
    "2ab02403-9eea-4977-9ffc-6124b1ef15ef",
    "23494504-da0c-4813-b31a-e72734034b76",
    "23494504-da0c-4813-b31a-e72734034b76",
    "37b92405-6b48-421b-8d57-ac552f7e0eea",
    "37b92405-6b48-421b-8d57-ac552f7e0eea",
    "840e1309-5faf-4837-aa2a-d6fe9a834a7e",
    "840e1309-5faf-4837-aa2a-d6fe9a834a7e",
    "186dcc0a-7d58-4f7b-8cdc-49998fa27e42",
    "186dcc0a-7d58-4f7b-8cdc-49998fa27e42",
    "a881b70b-97f1-4f27-a948-37f536b4a9e7",
    "a881b70b-97f1-4f27-a948-37f536b4a9e7",
    "8d9f9e0c-65f7-43a5-a8c5-c414df02766d",
    "8d9f9e0c-65f7-43a5-a8c5-c414df02766d",
    "9d0d8213-70eb-40f0-b7ee-3e0669703351",
    "9d0d8213-70eb-40f0-b7ee-3e0669703351",
    "fbdf0917-eca8-4500-b7a8-5dc6df3f483e",
    "fbdf0917-eca8-4500-b7a8-5dc6df3f483e",
    "20c1a41c-3440-42f4-a4eb-40ad81f706d2",
    "20c1a41c-3440-42f4-a4eb-40ad81f706d2",
    "8a582a20-81e8-476c-992a-5eb07f74f108",
    "8a582a20-81e8-476c-992a-5eb07f74f108",
    "3f296a20-1048-4c48-b359-3c199aa4025b",
    "3f296a20-1048-4c48-b359-3c199aa4025b",
    "d7e09720-1b30-44ed-b959-b36c097724fb",
    "d7e09720-1b30-44ed-b959-b36c097724fb",
    "b13ad323-a9d7-4916-a25f-9d1e89a02651",
    "b13ad323-a9d7-4916-a25f-9d1e89a02651",
    "a3a5033a-c978-4641-bf37-67d74f8147d7",
    "a3a5033a-c978-4641-bf37-67d74f8147d7",
    "eb430f3a-8bef-41e2-af77-b7719fc824c1",
    "eb430f3a-8bef-41e2-af77-b7719fc824c1",
    "05d81d43-fbc4-4a0b-afc4-4a5d43dc07a7",
    "05d81d43-fbc4-4a0b-afc4-4a5d43dc07a7",
    "bd38c443-be51-4904-b9d1-d2b867bac196",
    "bd38c443-be51-4904-b9d1-d2b867bac196",
    "98588044-78a8-4ec0-aeb2-df4399a4df00",
    "98588044-78a8-4ec0-aeb2-df4399a4df00",
    "82d56f45-8dde-42fd-b532-6a0676ef2718",
    "82d56f45-8dde-42fd-b532-6a0676ef2718",
    "2945d445-6e69-4bd4-9cf5-642dc3edaa93",
    "2945d445-6e69-4bd4-9cf5-642dc3edaa93",
    "c97f6e48-4ee2-4cef-8106-2cf7cb0262c4",
    "c97f6e48-4ee2-4cef-8106-2cf7cb0262c4",
    "a0479f49-1aa5-44a6-a269-2613d0ce7d5b",
    "a0479f49-1aa5-44a6-a269-2613d0ce7d5b",
    "09a7c24f-5adf-42a3-8a24-8469048d3fa7",
    "09a7c24f-5adf-42a3-8a24-8469048d3fa7",
    "ca498652-1021-4d8a-8932-5e04ceaf60a9",
    "ca498652-1021-4d8a-8932-5e04ceaf60a9",
    "76a2fa59-2b57-4647-8817-a1ff063514dd",
    "76a2fa59-2b57-4647-8817-a1ff063514dd",
    "a298805a-56e5-4891-92ad-650b4961ffa4",
    "a298805a-56e5-4891-92ad-650b4961ffa4",
    "54af135c-7be7-4af4-9e3d-e6ab6013dafd",
    "54af135c-7be7-4af4-9e3d-e6ab6013dafd",
    "0603805c-86a1-44b9-a641-dc255f4fd855",
    "0603805c-86a1-44b9-a641-dc255f4fd855",
    "0e38555e-8b58-47ca-a5c7-8a9c058e8bbf",
    "0e38555e-8b58-47ca-a5c7-8a9c058e8bbf",
    "4fb4a761-9f10-4344-a70e-cdbd1f8f12de",
    "4fb4a761-9f10-4344-a70e-cdbd1f8f12de",
    "c17fd06a-0c01-4782-a17e-1eff87e3859c",
    "c17fd06a-0c01-4782-a17e-1eff87e3859c",
    "81fc2b6c-4ac5-4aad-941e-29d2afc6b9f1",
    "81fc2b6c-4ac5-4aad-941e-29d2afc6b9f1",
    "6955ee6e-e41d-4d0e-94ed-03bcb3bb5a15",
    "6955ee6e-e41d-4d0e-94ed-03bcb3bb5a15",
    "ce1ad975-f0e3-4318-aee8-db91c60f2e02",
    "ce1ad975-f0e3-4318-aee8-db91c60f2e02",
    "fb237d78-eef7-413c-b5ec-3bec1c7e02b8",
    "fb237d78-eef7-413c-b5ec-3bec1c7e02b8",
    "db24447a-e8f3-4fbd-95ee-491e8d5ae5e8",
    "db24447a-e8f3-4fbd-95ee-491e8d5ae5e8",
    "8074407b-5499-4e3a-a67c-3a0f77347ef9",
    "8074407b-5499-4e3a-a67c-3a0f77347ef9",
    "a3e21e7c-b835-4ee5-96e1-5413b35e8ce5",
    "a3e21e7c-b835-4ee5-96e1-5413b35e8ce5",
    "534cde7e-fb24-480c-a0d4-9b5b954d1731",
    "534cde7e-fb24-480c-a0d4-9b5b954d1731",
    "701ce37e-b0f6-452a-ab17-d97dcf4bdbd9",
    "701ce37e-b0f6-452a-ab17-d97dcf4bdbd9",
    "ea12c581-4bb1-465a-ad22-8ff61dffa356",
    "ea12c581-4bb1-465a-ad22-8ff61dffa356",
    "66819185-4a9b-41ac-8e10-1f0d19fed672",
    "66819185-4a9b-41ac-8e10-1f0d19fed672",
    "d361a286-956c-4668-8ff3-baeb57f7537f",
    "d361a286-956c-4668-8ff3-baeb57f7537f",
    "d1d5388a-8c70-4db7-8a2b-c71671b6c3b9",
    "d1d5388a-8c70-4db7-8a2b-c71671b6c3b9",
    "1ea0c78c-8e85-4872-99c3-c4693276262b",
    "1ea0c78c-8e85-4872-99c3-c4693276262b",
    "f2a39c90-871d-4fc8-8b2e-dc227fc16968",
    "f2a39c90-871d-4fc8-8b2e-dc227fc16968",
    "2af2be92-1d10-43ee-bc35-d30382ad6099",
    "2af2be92-1d10-43ee-bc35-d30382ad6099",
    "37d4d892-c9cd-433b-a552-bb2693a25e1a",
    "37d4d892-c9cd-433b-a552-bb2693a25e1a",
    "4a893a93-6d17-4dfc-ab86-c56939bb46a1",
    "4a893a93-6d17-4dfc-ab86-c56939bb46a1",
    "b900cf93-3b18-4eea-980f-ba6421e54a32",
    "b900cf93-3b18-4eea-980f-ba6421e54a32",
    "95e2fb93-c2d5-4d11-945e-5429b0544b9a",
    "95e2fb93-c2d5-4d11-945e-5429b0544b9a",
    "1bcf0b96-c43d-4394-9fe5-c34e93630763",
    "1bcf0b96-c43d-4394-9fe5-c34e93630763",
    "ca36f396-38e3-4461-917d-802c3e54c6c9",
    "ca36f396-38e3-4461-917d-802c3e54c6c9",
    "3f3b5898-05ac-4a40-8778-e8c1158534f1",
    "3f3b5898-05ac-4a40-8778-e8c1158534f1",
    "f346919a-0070-4f78-93b1-8eee24e6b2da",
    "f346919a-0070-4f78-93b1-8eee24e6b2da",
    "631d249b-af7a-41da-b31d-ba75755436ac",
    "631d249b-af7a-41da-b31d-ba75755436ac",
    "9c64729b-eb77-4e69-af49-e200ae8d44c1",
    "9c64729b-eb77-4e69-af49-e200ae8d44c1",
    "a46f859f-eabc-4f8a-b14b-c0d08b898cdf",
    "a46f859f-eabc-4f8a-b14b-c0d08b898cdf",
    "5bc86ea0-ac40-4411-ba7c-90ab2a11e989",
    "5bc86ea0-ac40-4411-ba7c-90ab2a11e989",
    "744099a3-36cc-4ea4-b1e0-e4c4bfdee900",
    "744099a3-36cc-4ea4-b1e0-e4c4bfdee900",
    "d59d0fa8-6cb8-4627-a98d-860d1e90270b",
    "d59d0fa8-6cb8-4627-a98d-860d1e90270b",
    "dd5211a8-ebd5-4131-9254-956d1a94b67b",
    "dd5211a8-ebd5-4131-9254-956d1a94b67b",
    "852436a8-116b-4d3c-8cc0-39e71402c6fa",
    "852436a8-116b-4d3c-8cc0-39e71402c6fa",
    "0fde4da9-2a56-4f49-a745-c3c3c3cdba49",
    "0fde4da9-2a56-4f49-a745-c3c3c3cdba49",
    "38b0daaf-4f3f-4736-83b2-f10708d9a684",
    "38b0daaf-4f3f-4736-83b2-f10708d9a684",
    "53bf5eb4-e1d6-4550-8865-d8cdfda665d0",
    "53bf5eb4-e1d6-4550-8865-d8cdfda665d0",
    "ea4167b4-9603-46a3-abb4-83ffde333fb1",
    "ea4167b4-9603-46a3-abb4-83ffde333fb1",
    "af7ffbb6-9b2a-4c58-8d39-1130f23311fa",
    "af7ffbb6-9b2a-4c58-8d39-1130f23311fa",
    "74a59db7-f17d-4a9f-94ae-15221ca64704",
    "74a59db7-f17d-4a9f-94ae-15221ca64704",
    "d5dca9b8-f35c-4fca-bea6-85d09eaf28ec",
    "d5dca9b8-f35c-4fca-bea6-85d09eaf28ec",
    "534a54bb-4d8f-4118-97e2-d8b29cb08eb8",
    "534a54bb-4d8f-4118-97e2-d8b29cb08eb8",
    "6b6fedc0-41d1-4bf9-98e7-01e3c2bf00f8",
    "6b6fedc0-41d1-4bf9-98e7-01e3c2bf00f8",
    "bd0df9c2-cb60-4d97-893d-72c564465af7",
    "bd0df9c2-cb60-4d97-893d-72c564465af7",
    "3d5e3dc4-bc13-4c68-9f89-bda39f47b196",
    "3d5e3dc4-bc13-4c68-9f89-bda39f47b196",
    "09c04cc5-9bf4-432b-9fb5-6539ba468776",
    "09c04cc5-9bf4-432b-9fb5-6539ba468776",
    "d35fb1c5-532e-4dd7-8603-c696be00fe43",
    "d35fb1c5-532e-4dd7-8603-c696be00fe43",
    "feb9b2c7-393c-4e8f-99d9-fe298fef4bca",
    "feb9b2c7-393c-4e8f-99d9-fe298fef4bca",
    "74d658c8-e8d3-49c3-be70-120714732bfb",
    "74d658c8-e8d3-49c3-be70-120714732bfb",
    "dc03e9cd-c513-4308-8ae1-ce7fc8103615",
    "dc03e9cd-c513-4308-8ae1-ce7fc8103615",
    "a0cd4cce-5502-4c5a-83c0-cbb702422a1c",
    "a0cd4cce-5502-4c5a-83c0-cbb702422a1c",
    "598845d0-0745-4a5a-933b-eaba42e715e1",
    "598845d0-0745-4a5a-933b-eaba42e715e1",
    "eb95afdb-dc65-4ae5-98d2-61553f8aa3db",
    "eb95afdb-dc65-4ae5-98d2-61553f8aa3db",
    "664b37dc-1f5b-46a5-b9fe-612509e1b08b",
    "664b37dc-1f5b-46a5-b9fe-612509e1b08b",
    "31cd73e0-e996-4cc8-80bf-ee494efca97e",
    "31cd73e0-e996-4cc8-80bf-ee494efca97e",
    "7e123de7-22db-4634-8ae3-1d09a3702c2e",
    "7e123de7-22db-4634-8ae3-1d09a3702c2e",
    "d138f3e7-1604-4f7d-9334-d928c42b23d5",
    "d138f3e7-1604-4f7d-9334-d928c42b23d5",
    "1d2341e8-21cb-498a-bb9f-fa134c522b40",
    "1d2341e8-21cb-498a-bb9f-fa134c522b40",
    "327f7deb-a15f-4777-97d1-fe2cbb78a259",
    "327f7deb-a15f-4777-97d1-fe2cbb78a259",
    "d5d04bf2-ce5a-451c-abf2-b50a36657242",
    "d5d04bf2-ce5a-451c-abf2-b50a36657242",
    "de7e89f2-fb77-4f18-9244-730dd598df22",
    "de7e89f2-fb77-4f18-9244-730dd598df22",
    "f9363df6-b579-4ca5-a065-8be702ece5bb",
    "f9363df6-b579-4ca5-a065-8be702ece5bb",
    "f059b4f9-cdb3-4779-b2a3-323b2e72c6fa",
    "f059b4f9-cdb3-4779-b2a3-323b2e72c6fa",
    "82c1c0f9-aead-4ea5-9d0f-30d1c14946da",
    "82c1c0f9-aead-4ea5-9d0f-30d1c14946da",
    "36c51cfa-c3b1-4359-84c8-2b5d4b10d928",
    "36c51cfa-c3b1-4359-84c8-2b5d4b10d928",
    "259840fb-b439-4102-ae1b-5efe60989496",
    "259840fb-b439-4102-ae1b-5efe60989496",
    "26838bfc-6384-4c86-8299-3627807c57b0",
    "26838bfc-6384-4c86-8299-3627807c57b0",
    "2a804bff-17ed-4083-bc7b-f33d7fcc5aca",
    "2a804bff-17ed-4083-bc7b-f33d7fcc5aca",
    "7c0bc413-3afd-42e8-a9e2-35b150739ebd",
    "7c0bc413-3afd-42e8-a9e2-35b150739ebd",
    "77c6761e-1b30-48f9-bd87-4aac0a8c8f7e",
    "77c6761e-1b30-48f9-bd87-4aac0a8c8f7e",
    "ee1b1827-ba62-4725-beec-6f153055eae1",
    "ee1b1827-ba62-4725-beec-6f153055eae1",
    "6fb23f38-9e30-494d-831f-4ff1e7239bcf",
    "6fb23f38-9e30-494d-831f-4ff1e7239bcf",
    "25d98947-1fa3-4fc2-958d-7bfc705d3360",
    "25d98947-1fa3-4fc2-958d-7bfc705d3360",
    "bc40c351-593f-48cd-9328-afcfe6e33ea2",
    "bc40c351-593f-48cd-9328-afcfe6e33ea2",
    "68b0f761-dde8-41ff-b909-2f321e83a97b",
    "68b0f761-dde8-41ff-b909-2f321e83a97b",
    "1d84b468-0f18-44bd-b57f-24c98caa58de",
    "1d84b468-0f18-44bd-b57f-24c98caa58de",
    "64a1f596-ae4d-4b87-b30e-9ca276cb7ec1",
    "64a1f596-ae4d-4b87-b30e-9ca276cb7ec1",
    "d52f3597-be7e-464a-8f57-ad4dc2b1fcb6",
    "d52f3597-be7e-464a-8f57-ad4dc2b1fcb6",
    "3c83dea3-1cd3-4630-8cc1-400c8363c8e1",
    "3c83dea3-1cd3-4630-8cc1-400c8363c8e1",
    "746479a4-bacd-4923-9e02-8e8edacd3cc3",
    "746479a4-bacd-4923-9e02-8e8edacd3cc3",
    "660846a6-17d6-4556-a8a2-a81419726677",
    "660846a6-17d6-4556-a8a2-a81419726677",
    "0af4b1a6-cb91-4eda-bf37-e31579723519",
    "0af4b1a6-cb91-4eda-bf37-e31579723519",
    "7df70eac-1663-4f82-a620-5d9d5b7ba827",
    "7df70eac-1663-4f82-a620-5d9d5b7ba827",
    "4de87cbb-739e-478d-aa59-9a5baed2256c",
    "4de87cbb-739e-478d-aa59-9a5baed2256c",
    "86d13bc8-0877-4054-82a2-fe59304c5348",
    "86d13bc8-0877-4054-82a2-fe59304c5348",
    "c73768cb-cb5d-4853-9380-b81f5f0383e3",
    "c73768cb-cb5d-4853-9380-b81f5f0383e3",
    "238337d3-8c94-440b-a1f3-37f8e683020b",
    "238337d3-8c94-440b-a1f3-37f8e683020b",
    "463ae2d3-a7a5-4ed2-a7fe-ee8559ab384a",
    "463ae2d3-a7a5-4ed2-a7fe-ee8559ab384a",
    "3fc094db-b6d1-471a-90e3-cd920d67cfd5",
    "3fc094db-b6d1-471a-90e3-cd920d67cfd5",
    "fb347cdd-9a3b-4179-8692-da593e3835dd",
    "fb347cdd-9a3b-4179-8692-da593e3835dd",
    "7de30be9-35a0-4873-9de2-9b4ac5c2d6ea",
    "7de30be9-35a0-4873-9de2-9b4ac5c2d6ea",
    "084697ed-ce4b-4c6e-a1e4-9d3bb8bf34b9",
    "084697ed-ce4b-4c6e-a1e4-9d3bb8bf34b9",
    "2a76e3fd-24a4-420e-8d17-da075c83b409",
    "2a76e3fd-24a4-420e-8d17-da075c83b409",
    "authenticated",
    "45da2da9-da9a-4198-a68e-2ce327b4e0d9",
    "Dave_Sargent@selinc.com"
  ],
  "name": "Dave_Sargent@selinc.com"
}

When I move my user back to being added by a group, I can again build via the same POST url shown above.

[sarg3nt]

@timja
For the second problem, our service account. I'm not sure what else to tell you.
It looks like this in the grid manager

User type is "Member" in Azure AD
It's a service account so there's a bunch of fields not filled out. First name and Last name where empty, so we added values, still no luck.

When I try to call whoami I get
parse error: Invalid numeric literal at line 3, column 12
The full error is

curl -vvv -u "svc_jenkins@ad.selinc.com:<redacted>" https://test.build.ad.selinc.com/whoAmI/api/json | jq
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0*   Trying 10.105.107.138:443...
* Connected to test.build.ad.selinc.com (10.105.107.138) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*  CAfile: /etc/ssl/certs/ca-certificates.crt
*  CApath: /etc/ssl/certs
} [5 bytes data]
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
} [512 bytes data]
* TLSv1.3 (IN), TLS handshake, Server hello (2):
{ [122 bytes data]
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
{ [19 bytes data]
* TLSv1.3 (IN), TLS handshake, Certificate (11):
{ [5151 bytes data]
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
{ [264 bytes data]
* TLSv1.3 (IN), TLS handshake, Finished (20):
{ [52 bytes data]
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
} [1 bytes data]
* TLSv1.3 (OUT), TLS handshake, Finished (20):
} [52 bytes data]
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN, server accepted to use h2
* Server certificate:
*  subject: CN=*.build.ad.selinc.com
*  start date: Dec  7 19:19:11 2021 GMT
*  expire date: Jan  8 19:19:11 2023 GMT
*  subjectAltName: host "test.build.ad.selinc.com" matched cert's "*.build.ad.selinc.com"
*  issuer: C=US; ST=Arizona; L=Scottsdale; O=GoDaddy.com, Inc.; OU=http://certs.godaddy.com/repository/; CN=Go Daddy Secure Certificate Authority - G2
*  SSL certificate verify ok.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
} [5 bytes data]
* Server auth using Basic with user 'svc_jenkins@ad.selinc.com'
* Using Stream ID: 1 (easy handle 0x55872a2b9ac0)
} [5 bytes data]
> GET /whoAmI/api/json HTTP/2
> Host: test.build.ad.selinc.com
> authorization: Basic c3ZjX2plbmtpbnNAYWQuc2VsaW5jLmNvbToxMWY5NTYxMmNkY2RmYzQ0OGNmYTY1ZTdkMTliMDRkNzdk
> user-agent: curl/7.74.0
> accept: */*
>
{ [5 bytes data]
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
{ [57 bytes data]
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
{ [57 bytes data]
* old SSL session ID is stale, removing
{ [5 bytes data]
* Connection state changed (MAX_CONCURRENT_STREAMS == 128)!
} [5 bytes data]
< HTTP/2 500
< date: Tue, 21 Jun 2022 18:22:20 GMT
< content-type: text/html;charset=utf-8
< content-length: 7295
< x-content-type-options: nosniff
< expires: Thu, 01 Jan 1970 00:00:00 GMT
< cache-control: no-cache,no-store,must-revalidate
< x-hudson-theme: default
< referrer-policy: same-origin
< cross-origin-opener-policy: same-origin
< set-cookie: JSESSIONID.281f26b3=node01uhwaf47pv1lx1e6va9nbfhhdn582.node0; Path=/; Secure; HttpOnly
< x-hudson: 1.395
< x-jenkins: 2.332.3
< x-jenkins-session: 2209e849
< x-frame-options: sameorigin
< x-instance-identity: MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAqX6RdYQVOcu3RtakgPd8VDHY3szj2+TT0u4JCbX1ScEdADvfPYx5mOGoX82MnwYois7xDWQJ+se/bkECTW+sJkL+q4dw11Sr7R7QMfL7xYt+ns/wXMtEewcZ6S5uCxNP7Knn5N+pfLcl4ksZJR9LpxjfYFebA3Tz8g2YIKy+nR/O3E5XHwtRH9x91E/nNYUW/ovp9w26xlcryKKsAikOMpMG+oipUeaFqgUQJnCgJsUJdzI+OuSkWXCJUZB0ERNLAVOzxI7j+ThiNPsWfvVfi7XGWo+oCdddk7o83+Mc1YHOwGgEkd3qnRLavoz9gJbR7dqmbW5ycg+sr4b+t8XkUQIDAQAB
< strict-transport-security: max-age=15724800; includeSubDomains
<
{ [3107 bytes data]
100  7295  100  7295    0     0  23parse error: Invalid numeric literal at line 3, column 12
532      0 --:--:-- --:--:-- --:--:-- 23532
* Connection #0 to host test.build.ad.selinc.com left intact

If there is something specific you want me to look at in AzureAD or any other logs, please let me know.

I'm also happy to hop on a call and do a screen share if that helps. I think it would speed things up quite a bit if you are up for it.

And the error in the logs for the whoami call

Jun 21, 2022 11:32:09 AM INFO com.azure.core.util.logging.ClientLogger performLogging
Azure Identity => getToken() result for scopes [https://graph.microsoft.com/.default]: SUCCESS
Jun 21, 2022 11:32:10 AM WARNING hudson.init.impl.InstallUncaughtExceptionHandler handleException
Caught unhandled exception with ID 187e404b-eb4c-45d9-9668-706cd88e52dc
java.lang.IllegalArgumentException: A granted authority textual representation is required
	at org.springframework.util.Assert.hasText(Assert.java:289)
	at org.springframework.security.core.authority.SimpleGrantedAuthority.<init>(SimpleGrantedAuthority.java:39)
	at com.microsoft.jenkins.azuread.AzureAdUser.setAuthorities(AzureAdUser.java:135)
	at com.microsoft.jenkins.azuread.AzureSecurityRealm.lambda$null$5(AzureSecurityRealm.java:513)
	at com.github.benmanes.caffeine.cache.BoundedLocalCache.lambda$doComputeIfAbsent$14(BoundedLocalCache.java:2406)
	at java.base/java.util.concurrent.ConcurrentHashMap.compute(ConcurrentHashMap.java:1908)
	at com.github.benmanes.caffeine.cache.BoundedLocalCache.doComputeIfAbsent(BoundedLocalCache.java:2404)
	at com.github.benmanes.caffeine.cache.BoundedLocalCache.computeIfAbsent(BoundedLocalCache.java:2387)
	at com.github.benmanes.caffeine.cache.LocalCache.computeIfAbsent(LocalCache.java:108)
	at com.github.benmanes.caffeine.cache.LocalManualCache.get(LocalManualCache.java:62)
	at com.microsoft.jenkins.azuread.AzureSecurityRealm.lambda$createSecurityComponents$6(AzureSecurityRealm.java:490)
	at jenkins.security.ImpersonatingUserDetailsService2.loadUserByUsername(ImpersonatingUserDetailsService2.java:29)
	at hudson.model.User.getUserDetailsForImpersonation2(User.java:407)
	at jenkins.security.BasicHeaderApiTokenAuthenticator.authenticate2(BasicHeaderApiTokenAuthenticator.java:36)
	at jenkins.security.BasicHeaderProcessor.doFilter(BasicHeaderProcessor.java:83)
	at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:99)
	at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:110)
	at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:80)
	at hudson.security.HttpSessionContextIntegrationFilter2.doFilter(HttpSessionContextIntegrationFilter2.java:63)
	at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:99)
	at hudson.security.ChainedServletFilter.doFilter(ChainedServletFilter.java:111)
	at hudson.security.HudsonFilter.doFilter(HudsonFilter.java:172)
	at org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:193)
	at org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1601)
	at org.kohsuke.stapler.compression.CompressionFilter.doFilter(CompressionFilter.java:53)
	at org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:193)
	at org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1601)
	at hudson.util.CharacterEncodingFilter.doFilter(CharacterEncodingFilter.java:86)
	at org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:193)
	at org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1601)
	at org.kohsuke.stapler.DiagnosticThreadNameFilter.doFilter(DiagnosticThreadNameFilter.java:30)
	at org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:193)
	at org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1601)
	at jenkins.security.SuspiciousRequestFilter.doFilter(SuspiciousRequestFilter.java:38)
	at org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:193)
	at org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1601)
	at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:548)
	at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:143)
	at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:578)
	at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:127)
	at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:235)
	at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:1624)
	at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:233)
	at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1434)
	at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:188)
	at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:501)
	at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:1594)
	at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:186)
	at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1349)
	at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:141)
	at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:127)
	at org.eclipse.jetty.server.Server.handle(Server.java:516)
	at org.eclipse.jetty.server.HttpChannel.lambda$handle$1(HttpChannel.java:388)
	at org.eclipse.jetty.server.HttpChannel.dispatch(HttpChannel.java:633)
	at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:380)
	at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:277)
	at org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:311)
	at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:105)
	at org.eclipse.jetty.io.ChannelEndPoint$1.run(ChannelEndPoint.java:104)
	at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.runTask(EatWhatYouKill.java:338)
	at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.doProduce(EatWhatYouKill.java:315)
	at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.tryProduce(EatWhatYouKill.java:173)
	at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.run(EatWhatYouKill.java:131)
	at org.eclipse.jetty.util.thread.ReservedThreadExecutor$ReservedThread.run(ReservedThreadExecutor.java:386)
	at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:883)
	at org.eclipse.jetty.util.thread.QueuedThreadPool$Runner.run(QueuedThreadPool.java:1034)
	at java.base/java.lang.Thread.run(Thread.java:829)

[PrasannaShasthriDevOps]

We are also facing the same issue with version 233

[timja]

I have possibly managed to reproduce this but only with a guest user account, I will look more later on

[sarg3nt]

I have possibly managed to reproduce this but only with a guest user account, I will look more later on

@timja I just noticed an error being thrown that may or may not be useful.

2022-07-15 15:57:28.693+0000 [id=76] WARNING o.j.p.m.AuthorizationContainer#add: Processing a permission assignment in the legacy format (without explicit TYPE prefix): hudson.model.View.Read:Tennessee - Chattanooga (SEL)

That error is for this group, as shown in JCasC output
"GROUP:Job/Read:Tennessee - Chattanooga (SEL) (87d13d41-b535-45ab-b48b-05706ba05e9a)"

When I add a user in the web interface they get displayed in the JCasC output like this
- "USER:Overall/Administer:dave_sargent-ca@selinc.com (12db2553-e2ea-46ab-b119-97614f3ff5a3)"

We've been adding users with their display name, i.e like this
- "USER:Overall/Administer:Jared Powrie (0ef24f9d-a75b-2806-a51b-92132186877f)"
We did this becuase this is the output we saw being produced by v3.0 of the plugin early on. I've tried using the email address and it doesn't fix the issue with no access.

I've tried reading the code on Github
https://github.com/jenkinsci/matrix-auth-plugin/blob/master/src/main/java/org/jenkinsci/plugins/matrixauth/AuthorizationContainer.java
But I'm not a Java dev and have no idea where shortForm is being created or what it should look like.

IMHO add isn't a great method name, I get that you should be able to rely on class.method for uniqueness but if you don't have the code loaded in an IDE it's next to impossible to figure out what is calling it in Github. Clicking on the method name shows all uses of add not just the add for the AuthorizationContainer class.

Anyway, hope that helps and thanks for looking into this, we really appreciate it.
We are going ahead with the upgrade rollout to all 40 or so Jenkins instances and telling users they need to add their service accounts to a group for the API to work.

[timja]

Anyone able to test #276 out.

I think it should help with this issue

[andrewlorien]

I don't have a Java build environment here... but if you can send me an hpi I'd be happy to test this against issue 253. I suspect they are related.

[KalleOlaviNiemitalo]

https://ci.jenkins.io/job/Plugins/job/azure-ad-plugin/job/PR-276/2/ has no hpi artifact available for download, because of 26 new CheckStyle errors:

23:09:29 [CheckStyle] -> WARNING - Total (any severity): 26 - Quality Gate: 1
23:09:29 [CheckStyle] -> Some quality gates have been missed: overall result is WARNING

23:09:36 ERROR: Static analysis quality gates not passed; halting early

[timja]

oops... I imported code from matrix-auth to make a patch and didn't check the codestyle.

Here's an HPI:
https://ci.jenkins.io/job/Plugins/job/azure-ad-plugin/job/PR-276/3/artifact/org/jenkins-ci/plugins/azure-ad/257.v2755920f89d0/azure-ad-257.v2755920f89d0.hpi

You may need to re-add the user with the people picker, the recommended ID format has changed slightly.

Old formats should still work but I need to do more testing on it before releasing the change

[sarg3nt]

@timja the 257 hpi version seems to have fixed it for us.

[rgov]

The above links are dead but the latest HPI can be found at https://ci.jenkins.io/job/Plugins/job/azure-ad-plugin/job/PR-276/lastSuccessfulBuild/

However even with the latest HPI, I think I am still having the same issue as discussed in this thread, where I am enabling Project-based Matrix Authorization and adding myself as an admin with Overall/Administer privileges, but I get kicked out to an Access Denied page.

More info...

With the latest HPI installed, I get the error:

fb63abb9-62a9-4a9e-814b-c80f4429b7b7 is missing the Overall/Read permission

The GUI accepts my Azure e-mail address and adds a row to the table with my display name, suggesting that Azure integration is working OK. The config.xml says what it has always said:

  <authorizationStrategy class="hudson.security.ProjectMatrixAuthorizationStrategy">
    <permission>USER:hudson.model.Hudson.Administer:my@emailaddr.edu</permission>
  </authorizationStrategy>

[sarg3nt]

@timja any update on this?