Azure AD login fails with nested groups

  • What Grafana version and what operating system are you using?
    10.1.5 on Ubuntu 22.04

  • What are you trying to achieve?
    I allow members of a group to log in to my Grafana using “auth.azuread”. This group contains other groups and they contain users.

  • How are you trying to achieve it?
    I add existing groupA and groupB into groupC and add groupC into my Enterprise Application’s “users and groups”.

  • What happened?
    I can add groupA and groupB into my Enterprise Application’s “users and groups” and I can log in as a user in groupA or groupB.
    But: if groupA and groupB are in groupC and groupC is in “users and groups” then it fails.

  • What did you expect to happen?
    I would expect users in subgroups of groupC to be able to log in.

  • Can you copy/paste the configuration(s) that you are having problems with?

[auth.azuread]
name = Azure AD
enabled = true
allow_sign_up = true
auto_login = false
client_id = ...
client_secret = ...
scopes = openid email profile
auth_url = https://...
token_url = https://...
allowed_organizations = ...
allowed_domains = ...
allowed_groups =
role_attribute_strict = true
allow_assign_grafana_admin = true
skip_org_role_sync = false
  • Did you receive any errors in the Grafana UI or in related logs? If so, please tell us exactly what they were.
    In the UI: When I click “Login with Azure AD” I get this error: “Login failed
    IdP did not return a role attribute, please contact your administrator”.

In the server logs: logger=authn.service t=2023-12-29T09:16:54.849569166+01:00 level=warn msg="Failed to authenticate request" client=auth.client.azuread error="[auth.oauth.userinfo.error] failed to get user info: [oauth.role_attribute_strict_violation] AzureAD OAuth: unset role"