Azure Ad User doesn't belong to any role in jenkins

[DW-gabriele]

Version report

Jenkins and plugins versions report:

Jenkins: 2.289.1
OS: Linux - 5.4.89+
---
workflow-api:2.46
conditional-buildstep:1.4.1
workflow-cps:2.92
mailer:1.34
script-security:1.77
analysis-model-api:10.2.5
role-strategy:3.1.1
git-client:3.7.2
pipeline-build-step:2.13
workflow-basic-steps:2.23
echarts-api:5.1.2-2
momentjs:1.1.1
workflow-scm-step:2.13
bootstrap5-api:5.0.1-2
pipeline-stage-step:2.5
antisamy-markup-formatter:2.1
font-awesome-api:5.15.3-3
command-launcher:1.6
pipeline-github-lib:1.0
authentication-tokens:1.4
handlebars:3.0.8
caffeine-api:2.9.1-23.v51c4e2c879c8
popper2-api:2.5.4-2
trilead-api:1.0.13
ssh-credentials:1.19
google-login:1.6
pipeline-model-extensions:1.8.5
throttle-concurrents:2.3
display-url-api:2.3.5
azure-ad:175.v5513346d764a
build-timestamp:1.0.3
run-condition:1.5
structs:1.23
configuration-as-code:1.51
build-monitor-plugin:1.12+build.201809061734
azure-commons:1.1.3
branch-api:2.6.4
python:1.3
ace-editor:1.1
git:4.7.2
bouncycastle-api:2.20
pipeline-graph-analysis:1.11
token-macro:2.15
bootstrap4-api:4.6.0-3
workflow-job:2.41
warnings-ng:9.3.0
pollscm:1.3.1
credentials:2.5
resource-disposer:0.16
google-oauth-plugin:1.0.6
pipeline-model-api:1.8.5
windows-slaves:1.8
data-tables-api:1.10.25-1
google-container-registry-auth:0.3
cloudbees-folder:6.15
matrix-auth:2.6.7
popper-api:1.16.1-2
pipeline-input-step:2.12
rebuild:1.32
ws-cleanup:0.39
parameterized-trigger:2.41
jquery3-api:3.6.0-1
jdk-tool:1.5
scm-api:2.6.4
build-blocker-plugin:1.7.7
parameterized-scheduler:1.0
matrix-project:1.19
git-server:1.9
snakeyaml-api:1.29.1
workflow-aggregator:2.6
email-ext:2.83
workflow-durable-task-step:2.39
build-failure-analyzer:2.0.0
lockable-resources:2.11
workflow-multibranch:2.26
azure-sdk:23.v5682688d0eef
credentials-binding:1.26
pipeline-rest-api:2.19
authorize-project:1.4.0
sshd:3.0.3
workflow-cps-global-lib:2.21
jackson2-api:2.12.3
junit:1.50
workflow-support:3.8
oauth-credentials:0.4
p4:1.11.5
pipeline-stage-tags-metadata:1.8.5
maven-plugin:3.12
forensics-api:1.1.0
plugin-util-api:2.3.0
timestamper:1.13
checks-api:1.7.0
pipeline-model-definition:1.8.5
pipeline-stage-view:2.19
apache-httpcomponents-client-4-api:4.5.13-1.0
workflow-step-api:2.23
emailext-template:1.2
jsch:0.1.55.2
durable-task:1.37
Office-365-Connector:4.15.0
docker-commons:1.17
prqa-plugin:3.3.3
plain-credentials:1.7
pipeline-milestone-step:1.3.2
javadoc:1.6
python-wrapper:1.0.3

• What Operating System are you using (both controller, and any agents involved in the problem)?

Linux - 5.4.89+

Reproduction steps

• User Logs In with Azure AD account (this happened to only one of our users for now)

Results

Expected result:

The user could connect with the good privileges. When checking the profile in the "People Page" the user groups should look like:

Unique Principal Name: user1@mail.com
Email: user1@mail.com
Object ID: **object-id**
Tenant ID: **tenant-id**
Groups: []

Jenkins User ID: user1@mail.com
Groups:
**ID LISTS**
GR_DEVOPS
GR_JENKINS
GR_TECH

Actual result:

User has access with Authenticated Users rights, but not the groups it belongs to. When checking the profile in the "People Page" the user groups are empty:

Azure Active Directory User

Unique Principal Name: user2@mail.com
Email: user2@mail.com
Object ID: **object-id**
Tenant ID: **tenant-id**
Groups: []

Jenkins User ID: user2@mail.com
Groups:
**object-id**

[timja]

is this related to https://github.com/jenkinsci/azure-ad-plugin/issues/148?

are you using a Microsoft 365 group or a mail enabled security group?

[DW-gabriele]

It seems they are security groups, synced from our local AD. I updated to the latest version of the plugin as suggested in the other ticket, but it didn't seem to have solved the issue. I also tried to remove the user from the people view to see if it refreshed the correct groups at the next login, but it didn't seem to have worked

[DW-gabriele]

Ok, after further investigation it seems that the issue is only related to the AAD global administrators, could it actually be an issue with the rights of service account, or maybe the plugins exclude them for some reason?

[timja]

The plugin doesn't exclude them, and shouldn't be an issue. It works with my global admin account just fine