We are trying to configure Grafana using EntraID sso with the org_mapping feature, and we are trying to do it on Azure gov cloud.
This is the configuration we are using:
i’ve configured the groups in the entraid application, added the groupMembershipClaims": “SecurityGroup, ApplicationGroup” to the manifest.
but every time i try to connect with a user we get the error:
AzureAD OAuth: could not fetch user groups" code=302 body=
and the user goes to the main organization as a Viewer.
I think the issue is that the grphql query goes to the wrong url https://graph.microsoft.com instead of .us where it needs to go for the gov cloud.
Was anyone able to configure this on the gov cloud?
thanks
Use debug logging and steps - don’t try to configure everything in one go, e.g. make sure that it works without groups, when that is OK add more complexity - e.g. that group
api_url = https://graph.microsoft.us also doesn’t make sense to me - what it should return?
Thanks for the replay,
the authentication works that is not the issue. I’m able to connect with the users and if I use the normal user permissions in Azure i.e. configuring the user with Admin or editor and such it all works fine. the only problem is when i try to use the groups.
I tried to configure api_url = https://graph.microsoft.us so that when the it tries to query the groups it will got to the gov cloud and not the commercial cloud
Why https://graph.microsoft.us? Why not some endpoints there ? I’m no saying that /v1.0/me is what you need, this is just example - https://graph.microsoft.us/v1.0/me
I guess https://graph.microsoft.us is redirecting with 302 response code somewhere. As I said use debug logging.
[log]
# Either "console", "file", "syslog". Default is console and file
# Use space to separate multiple modes, e.g. "console file"
mode = console file
# Either "debug", "info", "warn", "error", "critical", default is "info"
level = debug
Then restart grafana for the setting to go into effect.
looks like it is indeed going to the wrong place
logger=oauth.azuread t=2024-09-04T16:31:15.254607668Z level=debug msg=“handcrafted endpoint to fetch the user data: https://graph.microsoft.com/v1.0//users//getMemberObjects”
logger=oauth.azuread t=2024-09-04T16:31:15.480775037Z level=warn msg=“AzureAD OAuth: could not fetch user groups” code=302 body=
logger=oauth.azuread t=2024-09-04T16:31:15.480837119Z level=debug msg=“AzureAD OAuth: extracted groups” email= groups=
ok, so according to the code the endpoint is taken from the group claims, which as i already added.
396. if claims.ClaimNames.Groups != "" {
397. endpoint = claims.ClaimSources[claims.ClaimNames.Groups].Endpoint
398. s.log.Debug(fmt.Sprintf("endpoint to fetch groups specified in the claims: %s", endpoint))
399. }