Skip to content

Commit c09d142

Browse files
authored
Merge pull request #1810 from brmdias/4.0.x
Update Azure SSO to use least-privilege permissions
2 parents dda2c6f + d47a69e commit c09d142

1 file changed

Lines changed: 13 additions & 7 deletions

File tree

docs/administration/security/sso/azure-sso.md

Lines changed: 13 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -40,14 +40,19 @@ Next, add the required permissions in Azure.
4040

4141
![](/assets/img/sso-azure-04-apiperm2.jpg)
4242

43+
**For group name mapping (optional):**
44+
45+
If you need to use group names (not group IDs) in ACL policies, add the following Application permission:
46+
4347
1. Select **"API permissions"** on the left
4448
2. Select **"+ Add a permission"**
4549
3. Select **"Microsoft Graph"** as the permission type
4650
4. Select **"Application permissions"**
47-
5. Enter **"Directory.Read.All"** in the search box
48-
6. Select **"Directory"** to expand it
49-
7. Select **"Directory.Read.All"** under Directory to enable the permission
50-
8. Select **"Add permission"** at the bottom
51+
5. Enter **"GroupMember.Read.All"** in the search box
52+
6. Select **"GroupMember.Read.All"** to enable the permission
53+
7. Select **"Add permission"** at the bottom
54+
55+
**Note:** Using group IDs instead of group names requires no additional Application permissions beyond the delegated permissions above.
5156

5257
### Azure - Create the Application Secret
5358

@@ -89,7 +94,8 @@ rundeck.security.oauth.azure.clientSecret=<SECRET_VALUE>
8994
rundeck.security.syncOauthUser=true
9095

9196
# Define the Azure scopes to map
92-
rundeck.security.oauth.azure.scope=openid email profile https://graph.microsoft.com/Directory.Read.All
97+
# Use GroupMember.Read.All only if group name mapping is required
98+
rundeck.security.oauth.azure.scope=openid email profile https://graph.microsoft.com/GroupMember.Read.All
9399

94100
# Map Azure user detail attributes
95101
rundeck.ssoSyncAttribNames.firstname=given_name
@@ -104,7 +110,7 @@ rundeck.ssoSyncAttribNames.email=preferred_username
104110

105111
### Important: First Login Approval
106112

107-
Upon first login to Rundeck using Azure SSO an Azure Admin level user will need to consent to the `Directory.Read.All` permission. Make sure to click the checkbox that asks to consent for the **whole organization**.
113+
If using the `GroupMember.Read.All` permission for group name mapping, an Azure Admin level user will need to consent upon first login to Rundeck using Azure SSO. Make sure to click the checkbox that asks to consent for the **whole organization**.
108114

109115
<img width="517" alt="image" src="https://github.com/rundeck/docs/assets/58412426/185bf972-577f-4e15-8367-d29fccaae578">
110116

@@ -115,7 +121,7 @@ By default, Azure does not send group information in the SSO token. You can conf
115121
![](/assets/img/sso-azure-08-token.png)
116122

117123

118-
**If you need to sync user groups by group name**, you need to enable the Rundeck plugin that uses the MS Graph API to get user/group information. Using this requires additional API permissions that were setup in the App Registration.
124+
**If you need to sync user groups by group name**, you need to enable the Rundeck plugin that uses the MS Graph API to get user/group information. Using this requires the `GroupMember.Read.All` Application permission configured in the App Registration above.
119125

120126
To enable this plugin, enable the *Enable Azure UserGroupSource Plugin* setting in the **System Configuration** page (config key `framework.plugin.UserGroupSource.AzureGroupSource.enabled`), or add the following to the `framework.properties` file:
121127

0 commit comments

Comments
 (0)