AzureAD OAuth: could not fetch user groups" code=302 body=

We are trying to configure Grafana using EntraID sso with the org_mapping feature, and we are trying to do it on Azure gov cloud.
This is the configuration we are using:

    [auth.azuread]
    
    force_use_graph_api = true
    
    skip_org_role_sync = true
    
    allow_sign_up = true

    auth_url =
    https://login.microsoftonline.us/<tenantid>/oauth2/v2.0/authorize

    auto_login = true

    enabled = true

    name = CP Azure AD

    scopes = openid email profile

    token_url =
    https://login.microsoftonline.us/<tenantid>/oauth2/v2.0/token

    allowed_groups = [ "<group-id1>", "<group-id2>", "<group-id3>"]
    org_mapping = ["<group-id1>:<org2>:Admin", "<group-id2>:<org3>:Admin", "<group-id3>:<org3>:Admin"]
    scopes = openid email profile Group.Read.All
    api_url = https://graph.microsoft.us

i’ve configured the groups in the entraid application, added the groupMembershipClaims": “SecurityGroup, ApplicationGroup” to the manifest.
but every time i try to connect with a user we get the error:
AzureAD OAuth: could not fetch user groups" code=302 body=
and the user goes to the main organization as a Viewer.

I think the issue is that the grphql query goes to the wrong url https://graph.microsoft.com instead of .us where it needs to go for the gov cloud.

Was anyone able to configure this on the gov cloud?
thanks

Use debug logging and steps - don’t try to configure everything in one go, e.g. make sure that it works without groups, when that is OK add more complexity - e.g. that group

api_url = https://graph.microsoft.us also doesn’t make sense to me - what it should return?

You have multiple scopes - why?

Thanks for the replay,
the authentication works that is not the issue. I’m able to connect with the users and if I use the normal user permissions in Azure i.e. configuring the user with Admin or editor and such it all works fine. the only problem is when i try to use the groups.
I tried to configure api_url = https://graph.microsoft.us so that when the it tries to query the groups it will got to the gov cloud and not the commercial cloud

Why https://graph.microsoft.us? Why not some endpoints there ? I’m no saying that /v1.0/me is what you need, this is just example - https://graph.microsoft.us/v1.0/me

I guess https://graph.microsoft.us is redirecting with 302 response code somewhere. As I said use debug logging.

To enable debug logging edit the configuration file grafana.ini:

[log]
# Either "console", "file", "syslog". Default is console and file
# Use space to separate multiple modes, e.g. "console file"
mode = console file

# Either "debug", "info", "warn", "error", "critical", default is "info"
level = debug

Then restart grafana for the setting to go into effect.

looks like it is indeed going to the wrong place
logger=oauth.azuread t=2024-09-04T16:31:15.254607668Z level=debug msg=“handcrafted endpoint to fetch the user data: https://graph.microsoft.com/v1.0//users//getMemberObjects”
logger=oauth.azuread t=2024-09-04T16:31:15.480775037Z level=warn msg=“AzureAD OAuth: could not fetch user groups” code=302 body=
logger=oauth.azuread t=2024-09-04T16:31:15.480837119Z level=debug msg=“AzureAD OAuth: extracted groups” email= groups=

Read and understand source code:

ok, so according to the code the endpoint is taken from the group claims, which as i already added.

396. if claims.ClaimNames.Groups != "" {
397. endpoint = claims.ClaimSources[claims.ClaimNames.Groups].Endpoint
398. s.log.Debug(fmt.Sprintf("endpoint to fetch groups specified in the claims: %s", endpoint))
399. }

oauth2AllowUrlPathMatching: false,
createdDateTime: 2024-07-29T15:04:33Z,|
description: null,|
certification: null,|
disabledByMicrosoftStatus: null,|
groupMembershipClaims: SecurityGroup, ApplicationGroup,

but as you can see from the logs it does not pull the group claims and goes straight to the handcrafted url.

No,

// groupsGraphAPIURL retrieves the Microsoft Graph API URL to fetch user groups from the _claim_sources if present

Please format your code, log snippets properly for readibility.