Allowed_groups option doesnt work as expected, in Azure AD

networkandcode · July 20, 2020, 4:03pm

Grafana version used: 7.0.0

I am following https://grafana.com/docs/grafana/latest/auth/azuread/#create-the-azure-ad-application

have added

[auth.azuread]
name = Azure AD
enabled = true
allow_sign_up = true
client_id = APPLICATION_ID
client_secret = CLIENT_SECRET
scopes = openid email profile
auth_url = https://login.microsoftonline.com/TENANT_ID/oauth2/v2.0/authorize
token_url = https://login.microsoftonline.com/TENANT_ID/oauth2/v2.0/token
allowed_groups = some group id

I have copied the correct id from active directory groups, but each time I try logging in it would say I am not part of the group…

Anything missing here…

Note that the manifest of the app has three different hex IDs which were randomly generated, and I am not using the allowed_domains option.

michaelhabacher · September 19, 2020, 10:48am

I also came across that problem and already tried the following:

Set up everything according to Allowed Groups Docs but used a “SecurityGroup” instead of an “ApplicationGroup” because I could not find out how to create an “ApplicationGroup”. Then I added the user to that group. Login didn’t work…
Set "groupMembershipClaims": "SecurityGroup" - this didn’t work either…
Set "groupMembershipClaims": "All" - same result…
Created a “Microsoft 365” group and added the user - manifest stayed "groupMembershipClaims": "All". Also failed…

It don’t know if this is relevant but maybe this feature only works with AAD Premium

This message points to buying “Azure AD Premium P2” or “Enterprise Mobility + Security E5”

I ended up with setting allowed_groups = (empty) again and not using this feature. Any pointers on how to make this work would be appreciated.

Environment
OS: Debian 10.5
Grafana: OSS 7.1.5 (9893b8c53d)

/etc/grafana/grafana.ini (AAD part)

[auth.azuread]
name = MyAADB2CAuth
enabled = true
allow_sign_up = true
client_id = [some client id]
client_secret = [some client secret]
scopes = openid email profile
auth_url = https://login.microsoftonline.com/common/oauth2/v2.0/authorize
token_url = https://login.microsoftonline.com/common/oauth2/v2.0/token
allowed_domains =
allowed_groups =
;allowed_groups = [SecurityGroup object ID]
;allowed_groups = [Microsoft 365 object ID]
;allowed_groups = [Microsoft 365 object ID] [SecurityGroup object ID]

Topic		Replies	Views
AzureAD user not member of one of the required groups Authentication	0	775	September 12, 2023
Azure AD: "user not a member of one of the required groups" Authentication azure	4	2485	September 29, 2022
Azure AD groups Integration Authentication	1	401	August 18, 2025
User not a member of one of the required groups - azure AD Authentication	1	513	June 2, 2023
Azure AD login fails with nested groups Authentication azure-ad	2	1050	January 8, 2025

Allowed_groups option doesnt work as expected, in Azure AD

Related topics