No app roles returned by Azure AD

mjiderhamn · December 9, 2020, 1:22pm

Having followed the instructions at https://grafana.com/docs/grafana/latest/auth/azuread/#enable-azure-ad-oauth-in-grafana it seems like the custom Enterprise application roles are not included in the token provided to Grafana, but always defaults to Viewer. The token looks like this:

{
  "typ": "JWT",
  "alg": "RS256",
  "kid": "..."
}.{
  "aud": "...",
  "iss": "https://login.microsoftonline.com/.../v2.0",
  "iat": 1607519598,
  "nbf": 1607519598,
  "exp": 1607523498,
  "aio": "REDACTED",
  "groups": [
"REDACTED",
"REDACTED",
...
  ],
  "name": "REDACTED",
  "oid": "REDACTED",
  "preferred_username": "REDACTED",
  "rh": "REDACTED",
  "sub": "REDACTED",
  "tid": "REDACTED",
  "uti": "REDACTED",
  "ver": "2.0",
  "wids": [
"REDACTED",
"REDACTED"
  ]
}.[Signature]

Additionally I followed https://github.com/grafana/grafana/issues/23358#issuecomment-610919226 and the linked PR (#23465) with no difference.

Is there a scope missing in the Grafana config or something else to configure on the App registration?
How can I debug this???

jangaraj · December 9, 2020, 3:26pm

Azure OIDC client generates token, so Azure forum/support is the best audience for your question.

aparajitachatterjee · December 9, 2020, 3:38pm

Hello, are you are looking for enterprise application roles?

mjiderhamn · December 9, 2020, 3:40pm

Yes, as per https://grafana.com/docs/grafana/latest/auth/azuread/#enable-azure-ad-oauth-in-grafana

Topic		Replies	Views
Grafana Authentication/Authorization via OAUTH and AzureAD Configuration azure	4	2593	March 25, 2020
Azure AD RBAC doesn't work azure	4	1529	March 7, 2020
Azure Oauth gives Viewer role to whole organization. How can I restrict Authentication azure	0	396	May 25, 2021
Having difficulty using Azure AD as login Grafana azure	8	5323	April 9, 2018
Error with Grafana v8.1.1 with Azure AD OAuth2 Setup Authentication	4	3202	September 8, 2021

No app roles returned by Azure AD

Related topics