Allowed_groups option doesnt work as expected, in Azure AD

Grafana version used: 7.0.0

I am following https://grafana.com/docs/grafana/latest/auth/azuread/#create-the-azure-ad-application

have added

[auth.azuread]
name = Azure AD
enabled = true
allow_sign_up = true
client_id = APPLICATION_ID
client_secret = CLIENT_SECRET
scopes = openid email profile
auth_url = https://login.microsoftonline.com/TENANT_ID/oauth2/v2.0/authorize
token_url = https://login.microsoftonline.com/TENANT_ID/oauth2/v2.0/token
allowed_groups = some group id

I have copied the correct id from active directory groups, but each time I try logging in it would say I am not part of the group…

Anything missing here…

Note that the manifest of the app has three different hex IDs which were randomly generated, and I am not using the allowed_domains option.

I also came across that problem and already tried the following:

  1. Set up everything according to Allowed Groups Docs but used a “SecurityGroup” instead of an “ApplicationGroup” because I could not find out how to create an “ApplicationGroup”. Then I added the user to that group. Login didn’t work…
    image
  2. Set "groupMembershipClaims": "SecurityGroup" - this didn’t work either…
  3. Set "groupMembershipClaims": "All" - same result…
  4. Created a “Microsoft 365” group and added the user - manifest stayed "groupMembershipClaims": "All". Also failed…

It don’t know if this is relevant but maybe this feature only works with AAD Premium
image
This message points to buying “Azure AD Premium P2” or “Enterprise Mobility + Security E5”

I ended up with setting allowed_groups = (empty) again and not using this feature. Any pointers on how to make this work would be appreciated.

Environment
OS: Debian 10.5
Grafana: OSS 7.1.5 (9893b8c53d)

/etc/grafana/grafana.ini (AAD part)

[auth.azuread]
name = MyAADB2CAuth
enabled = true
allow_sign_up = true
client_id = [some client id]
client_secret = [some client secret]
scopes = openid email profile
auth_url = https://login.microsoftonline.com/common/oauth2/v2.0/authorize
token_url = https://login.microsoftonline.com/common/oauth2/v2.0/token
allowed_domains =
allowed_groups =
;allowed_groups = [SecurityGroup object ID]
;allowed_groups = [Microsoft 365 object ID]
;allowed_groups = [Microsoft 365 object ID] [SecurityGroup object ID]