Open vittoriocanilli opened 1 year ago
drdamour
commented
1 year ago @vittoriocanilli FYI the filtering settings aren't asscoiated with the application registry (azuread_application), they are associated with the service principal /enterprise application so they can be specific to each tenant.
vittoriocanilli
commented
1 year ago @drdamour thanks for pointing this out. So I guess that my Potential Terraform Configuration should be changed into:
resource "azuread_application" "example" {
display_name = "example"
group_membership_claims = ["All"]
...
}
resource "azuread_service_principal" "example-sp" {
application_id = azuread_application.example
group_membership_claims_advanced_opts {
filter_groups {
attribute_to_ match = "display_name"
match_with = "prefix"
string = "some-prefix-"
}
...
}For me it would still work perfectly. Unfortunately I could not find anything helpful for my issue in the documentation of azuread_service_principal (AzureAD 2.41.0).
drdamour
commented
1 year ago man...i dug into this a bit and got pretty stumped. It appears the portal refers to this as something called defaultClaimIssuancePolicy:
"defaultClaimIssuancePolicy": {
"version": 1,
"defaultTokenType": "JWT",
"allowPassThruUsers": "true",
"includeBasicClaimSet": "True",
"claimsSchema": [],
"claimsTransformations": [],
"groupFilter": {
"matchOn": "samAccountName",
"type": "prefix",
"value": "App "
},
"issuerWithApplicationId": false,
"audienceOverride": null,
"crossTenantRestrictions": true,
"requireCustomSigningKey": true
},which kinda sounds like a TokenIssuancePolicy https://learn.microsoft.com/en-us/graph/api/resources/tokenissuancepolicy?view=graph-rest-beta and kinda sounds like a ClaimsMappingPolicy think it's some older concept (it's referenced in ADFS docs) that has been superceeded maybe?
I was able to get a policy created and applied with
resource "azuread_claims_mapping_policy" "limit_groups_to_prefix_of_app" {
definition = [
jsonencode(
{
TokenIssuancePolicy = {
Version = 1,
ClaimsSchema = []
ClaimsTransformations = []
GroupFilter = {
MatchOn = "samAccountName"
Type = "prefix"
Value = "App "
}
}
}
),
]
display_name = "Limit Groups to Prefix of App"
}
resource "azuread_service_principal_claims_mapping_policy_assignment" "limit_groups_to_prefix_of_app" {
claims_mapping_policy_id = azuread_claims_mapping_policy.limit_groups_to_prefix_of_app.id
service_principal_id = azuread_service_principal.vnd.id
}and it worked...but it does NOT show in portal as expected, instead it says it was overriden by policy
haven't got as far as manually assigning a token issuance policy to the service principal yet cause gottne install beta Ms graph powershell to try, will try later tonight, but suspect it won't show up but will still work...in which case what this request may be is a azuread_token_issuance_policy resource and a azuread_service_principal_token_issuance_policy_assignment resource
drdamour
commented
1 year ago looking deeper it seems token issuance policies can only be assigned to applications, not service principals so that can't be the right thing...this stuff is pretty dense
valentinahermann
commented
8 months ago any updates on this topic? We are facing the same issue. Thx.
edauti-op
commented
8 months ago Hi @vittoriocanilli, did you find a solution/workaround so far? Thank you!
vittoriocanilli
commented
5 months ago Hi @edauti-op unfortunately I didn't find any solution/workaround: I still have to insert that prefix manually 😞
Community Note
Description
Currently the
group_membership_claimsof an Azure AD application can be set to either None, SecurityGroup, DirectoryRole, ApplicationGroup or All. I would like to be able to set the advanced options, as I need only groups with a certain prefix; I can do it on the Azure portal, as shown on this picture:New or Affected Resource(s)
Potential Terraform Configuration
This is just a possible suggestion of how the setup could be made:
References