Closed PrasannaShasthriDevOps closed 2 years ago
You can remove the Azure Active Directory Graph permissions, they aren't needed any more.
What is the actual format of 'UserA' in the error? is it their display name or their UPN (i.e. timja@my-email-domain.com?
Can you please list the graph permissions that needs to be removed ? All the permissions listed in the screenshot ?
No, its not email ID or UPN. But its "Firstname Lastname"
Remove
Hmm I'm working on something related in https://github.com/jenkinsci/azure-ad-plugin/issues/145, it may help you
okey. thanks for the update. Looks like #145 is closed, Should I try with latest version. ?
Yes please
While I still trying to upgrade Azure AD plugin in our test jenkins environment, I have a question..
I think the "404 : Not Found" errors that I mentioned earlier may not be related to the actual issue we are facing, where some users who are part of a group which authorise entire group members to jenkins, are losing access intermittently. We had to manually add them to azure authorisation matrix to temporarily fix the issue.
This issue happened after we upgrade Jenkins Core and azure AD plugin recently,
Jenkins Core upgraded from 2.235.5.1
to 2.277.4.3
Azure AD plugin from 1.2.1
to 155.v745ce80af7ea
If those users go to
Yeah, we have checked that earlier and they are part of the correct group. Still they can't authorise to jenkins. This is happening for only some users and across jenkins masters. Interesting thing to observe is that, if userA can't access jenkins master A, but still that user will be able to access other jenkins masters.
Also we have also observed that /whoAmI is listing both objectID and group name for a group.
Are you able to send a screenshot of the page? annotated with what's working and what's not? It's bit hard to understand
You can email it to timjacomb1 at gmail.com
I have installed the latest version of the plugin (v172) in our test environment, but the issue seems to be persists for us. For some users even though they are part of a common group which is added in authorisation matrix, they are unable to access jenkins.
We have a similar Issue since recent updates. Though our users can login, but lack the assigned permissions of the group.
Checking "/whoAmI", the specific group is not listed. I checked the group-membership in AAD, and the odd thing is: the group that is not listed, is of type "Microsoft 365", whereas all other groups are of type "Security". Is it, that the plugin only respects groups of type "Security" and no other type anymore?
Ah right yes there was a recent change for that.
Security groups should be used here not Microsoft 365 groups.
Is there an option to change that behaviour? Because otherwise, we'd have to duplicate that group and manage it manually - that would be troublesome and error-prone!
Our group which has the issue is of type "Mail enabled security", does that cause any issue ?
(optional) To enable AzureAD group support: Click Manifest and modify the "groupMembershipClaims": "None" value to "groupMembershipClaims": "SecurityGroup" manifest.
I see this in documentation and it is optional too. So we haven't changed anything in the manifest.
I'm reverting it for now.
Mail-Enabled security groups should work.
I don't think Microsoft 365 groups should be allowed but given it worked before an option could be made for it to work.
See group types here: https://docs.microsoft.com/en-us/microsoft-365/admin/create-groups/compare-groups?view=o365-worldwide
Any thoughts?
I see this in documentation and it is optional too. So we haven't changed anything in the manifest.
Hmm I think it will work without that since you're using the graph API here, but probably good to have it enabled anyway.
I assume, using only "Security groups" as authorities was implemented as part of https://github.com/jenkinsci/azure-ad-plugin/pull/140 (165.v36344b7d7ca7)
But we have faced the issues in Azure AD plugin version 152.v1609ed460604
Any thoughts?
is it definitely 152? I would expect it to be https://github.com/jenkinsci/azure-ad-plugin/releases/tag/154.v12e17a5f9ea3
Which changed from the legacy ADAL to MSAL.
If that's the case then the above change probably won't help much. Now that there's more info I can probably have a go at checking this in detail.
To have it work now I would suggest using security groups instead.
My bad, its 155.v745ce80af7ea, as I mentioned in my first comment along with other plugins and their versions.
I don't think Microsoft 365 groups should be allowed but given it worked before an option could be made for it to work.
That would be great.
I tested the issue by duplicating one of our groups and making it of type "Security" - that works, so its definitely the group-type, cause the issue. But as mentioned earlier: having to duplicate and manage multiple groups manually is not a good solution.
I think no new version got released for the PR #152
When I checked this step and click on details.
continuous-integration/jenkins/incrementals Deployed to Incrementals.
I get this
{
"errors" : [ {
"status" : 404,
"message" : "{\"error\":\"Item incrementals:org/jenkins-ci/plugins/azure-ad/174.v4193ef6db383 does not exist\"}"
} ]
}
@Shasthri it was released 11 hours ago: https://github.com/jenkinsci/azure-ad-plugin/releases/tag/174.vc2d906355813
I've checked and the plugin is available.
I've tested with mail enabled security and 365 groups, before https://github.com/jenkinsci/azure-ad-plugin/pull/152 there was an issue, but after all seems to work fine.
I've created https://github.com/jenkinsci/azure-ad-plugin/pull/153 to allow picking the groups in the people picker, but that won't affect people who already have that configuration
When that will be available here - https://plugins.jenkins.io/azure-ad/#releases for downloading ? Are you able to view latest version(v174) in the above link ?
Why don't you just download it through Jenkins itself?
The plugin site is slower to update, but you can just update the url to the latest version if you want to download it yourself
Last published url is: https://updates.jenkins.io/download/plugins/azure-ad/173.v0a210fffb510/azure-ad.hpi
Just update the version number to the version you want.
Version 191.vfc8019068670 is already available from the Update Center within Jenkins, and from https://plugins.jenkins.io/azure-ad/#releases. Should this issue be closed?
We have a group groupA which provides access to jenkins and its added in the "Azure Active Directory Matrix-based security" with enough permissions. But some users are losing permissions even though they are part of groupA and they were successfully accessed jenkins earlier. Users see below error.
userA is missing the Overall/Read permission
We have also observed bellow warnings/errors in the jenkins system logs.
Version report
Jenkins and plugins versions report:
Reproduction steps
Unable to reproduce as it happens randomly for some users. But once we add user directly to the azure authorisation matrix, user will be able to login without any issues.
Results
Expected result:
A Group "GroupA" which is added to the azure authorisation matrix. User who is member of this group should have access to jenkins.
Actual result:
But some users are losing permission to jenkins.
Azure AD permisions