AzureAD user not member of one of the required groups

nebojsacekic · September 12, 2023, 9:37am

Hello Community,

i have read some reports here regarding the same error which is receive but didnt found the solution for me. Hopefully anyone of you can help.

I have configured in Azure the App for my Grafana instance to use openID Connect. The configs of the Azure App are as follows:
Authentication => WEB
Certificates and Secrets => Secret has been created
Token configuration => email (token type: ID), family_name (token type: ID), given_name (token type: ID), groups (token type: ID)
API Permissions => i have added over “own API” the group for my app “Grafana Org Admin” which is also configured as allowed_groups. And under API Permissions i also habe the Microsoft Graph: email, openid, profile, user.read
App Roles: Grafana Org Admin, Grafana Viewer, Grafana Editor (in all of those groups i have put my user inside) and the group IDs are the same like in the manifest file:
manifest.txt

And this is my grafana configuration:
name: Grafana OIDC Login
enabled: true
allow_sign_up: false
client_id: “((GF_AUTH_AZUREAD_CLIENT_ID))”
client_secret: “((GF_AUTH_AZUREAD_CLIENT_SECRET))”
scopes: openid email profile
auth_url: …login.microsoftonline.com/ID/oauth2/v2.0/authorize
token_url: …login.microsoftonline.com/ID/oauth2/v2.0/token
allowed_groups: 751f9983-973e-49c9-bab0-82296f261f46, 634287bc-ecec-4245-9085-47112c29ccef,
allowed_domains: company_domain
allow_assign_grafana_admin: false
use_pkce: false
auto_login: false
force_use_graph_api: false
role_attribute_strict: true

And this i get when i access grafana :
logger=context userId=0 orgId=0 uname= t=2023-09-12T07:57:08.236193222Z level=error msg=“login.OAuthLogin(get info from azuread)” error=“user not a member of one of the required groups”
logger=context userId=0 orgId=0 uname= t=2023-09-12T07:57:08.236831308Z level=error msg=“Request Completed” method=GET path=/login/azuread status=500 remote_addr=11.237.100.254 time_ms=312 duration=312.365498ms size=1366 referer=https://login.microsoftonline.com/ handler=/login/:name
logger=cleanup t=2023-09-12T08:02:02.977677253Z level=info msg=“Completed cleanup jobs” duration=20.807658ms

MANIFEST FILE OF THE AZURE APP:

{
	"id": "13c2b65a-48a2-4413-97e9-4251af8abdf2",
	"acceptMappedClaims": true,
	"accessTokenAcceptedVersion": 2,
	"addIns": [],
	"allowPublicClient": null,
	"appId": "oopkmba0f-b01a-485f-abc7-09833378890
	"appRoles": [
		{
			"allowedMemberTypes": [
				"User",
				"Application"
			],
			"description": "Grafana org admin Users",
			"displayName": "Grafana Org Admin",
			"id": 005588837463-973e-49c9-bab0-89077652109663",
			"isEnabled": true,
			"lang": null,
			"origin": "Application",
			"value": "Admin"
		},
		{
			"allowedMemberTypes": [
				"User"
			],
			"description": "Grafana read only Users",
			"displayName": "Grafana Viewer",
			"id": "nm78044-ecec-4245-9085-47112c29ccef",
			"isEnabled": true,
			"lang": null,
			"origin": "Application",
			"value": "Viewer"
		},
		{
			"allowedMemberTypes": [
				"User"
			],
			"description": "Grafana Editor Users",
			"displayName": "Grafana Editor",
			"id": "7659f705-8a18-450e-a792-187b3dd41b71",
			"isEnabled": true,
			"lang": null,
			"origin": "Application",
			"value": "Editor"
		}
	],
	"oauth2AllowUrlPathMatching": false,
	"createdDateTime": "2023-09-11T08:28:27Z",
	"description": null,
	"certification": null,
	"disabledByMicrosoftStatus": null,
	"groupMembershipClaims": "ApplicationGroup",
	"identifierUris": [
		"api://dd62ba0f-b01a-485f-abc7-3b1c77e6d211"
	],
	"informationalUrls": {
		"termsOfService": null,
		"support": null,
		"privacy": null,
		"marketing": null
	},
	"keyCredentials": [],
	"knownClientApplications": [],
	"logoUrl": "https://aadcdn.msftauthimages.net/c1c6b6c8-ycx7a3djlnzlid7udaicyih8i3zhlsvubj48la5r5yc/appbranding/mjodpclawp8-fqzrz778vqpdqrtgmufalbbrubq5b1c/1033/bannerlogo?ts=638300190135136287",
	"logoutUrl": null,
	"name": "Grafana",
	"notes": null,
	"oauth2AllowIdTokenImplicitFlow": false,
	"oauth2AllowImplicitFlow": false,
	"oauth2Permissions": [
		{
			"adminConsentDescription": "lesen",
			"adminConsentDisplayName": "lesen",
			"id": "4df0b83d-d76a-4bb0-b93e-40f7f9239455",
			"isEnabled": false,
			"lang": null,
			"origin": "Application",
			"type": "User",
			"userConsentDescription": null,
			"userConsentDisplayName": null,
			"value": "Files.Read-all"
		},
		{
			"adminConsentDescription": "Admin Read ",
			"adminConsentDisplayName": "Benutzerdateien lesen",
			"id": "ee299f7c-3799-4f1c-a544-553151c7c6d6",
			"isEnabled": true,
			"lang": null,
			"origin": "Application",
			"type": "Admin",
			"userConsentDescription": null,
			"userConsentDisplayName": null,
			"value": "Files.Read"
		}
	],
	"oauth2RequirePostResponse": false,
	"optionalClaims": {
		"idToken": [
			{
				"name": "email",
				"source": null,
				"essential": false,
				"additionalProperties": []
			},
			{
				"name": "family_name",
				"source": null,
				"essential": false,
				"additionalProperties": []
			},
			{
				"name": "given_name",
				"source": null,
				"essential": false,
				"additionalProperties": []
			},
			{
				"name": "groups",
				"source": null,
				"essential": false,
				"additionalProperties": []
			}
		],
		"accessToken": [
			{
				"name": "groups",
				"source": null,
				"essential": false,
				"additionalProperties": []
			}
		],
		"saml2Token": [
			{
				"name": "groups",
				"source": null,
				"essential": false,
				"additionalProperties": []
			}
		]
	},
	"orgRestrictions": [],
	"parentalControlSettings": {
		"countriesBlockedForMinors": [],
		"legalAgeGroupRule": "Allow"
	},
	"passwordCredentials": [
		{
			"customKeyIdentifier": null,
			"endDate": "2025-09-10T08:29:58.861Z",
			"keyId": "5576949d-ae55-4070-a499-c5564ed432b4",
			"startDate": "2023-09-11T08:29:58.861Z",
			"value": null,
			"createdOn": "2023-09-11T08:30:12.6739349Z",
			"hint": "Zt4",
			"displayName": "Grafana oauth"
		}
	],
	"preAuthorizedApplications": [],
	"publisherDomain": "company.onmicrosoft.com",
	"replyUrlsWithType": [
		{
			"url": "https://grafana-domain/login/azuread",
			"type": "Web"
		},
		{
			"url": "https://grafana-domain",
			"type": "Web"
		}
	],
	"requiredResourceAccess": [
		{
			"resourceAppId": "dd62ba0f-b01a-485f-abc7-3b1c77e6d211",
			"resourceAccess": [
				{
					"id": "751f9983-973e-49c9-bab0-82296f261f46",
					"type": "Role"
				}
			]
		},
		{
			"resourceAppId": "00000003-0000-0000-c000-000000000000",
			"resourceAccess": [
				{
					"id": "14dad69e-099b-42c9-810b-d002981feec1",
					"type": "Scope"
				},
				{
					"id": "e1fe6dd8-ba31-4d61-89e7-88639da4683d",
					"type": "Scope"
				},
				{
					"id": "37f7f235-527c-4136-accd-4a02d197296e",
					"type": "Scope"
				},
				{
					"id": "64a6cdd6-aab1-4aaf-94b8-3cc8405e90d0",
					"type": "Scope"
				}
			]
		}
	],
	"samlMetadataUrl": null,
	"signInUrl": null,
	"signInAudience": "AzureADMyOrg",
	"tags": [
		"apiConsumer",
		"webApp"
	],
	"tokenEncryptionKeyId": null
}