Improve documentation around how to set up Azure AD application

[peat-psuwit]

In README.md, it mentions the need to create an Azure AD application, and links to Azure's documentation for application registration in general. However,

• It doesn't mention that "Allow public client flows" has to be enabled [1].
• It doesn't mention that a consent has to be given to the application, either tenant-wide, or from user itself.
  • For tenant-wide admin consent, see [2].
  • For per-user consent, well... let's say that aad-auth isn't really designed to be used this way. However, if one isn't a tenant's administrator (as I'm not) and want to try this out, I can report that following this tutorial [3] (intended for a completely different purpose) does grant the necessary consent.
  • Off topic, but it would be nice if GDM could have the browser shown for the interactive authorization flow.
• The linked document [4] mentions "assign(ing) a role to the application". However, since we're essentially a client-facing application, it's not required. This makes debugging more confusing.

The first 2 points is partially addressed as an error message improvement in #193, but it would be nice if Ubuntu documents how to configure the Azure AD application correctly in the first place (either here or in a documentation somewhere).

[1] https://learn.microsoft.com/en-us/azure/active-directory/develop/scenario-desktop-app-registration#redirect-uris [2] https://learn.microsoft.com/en-us/azure/active-directory/manage-apps/grant-admin-consent?pivots=portal [3] https://s4erka.wordpress.com/2021/03/26/azure-ad-application-to-test-oauth2-0/ [4] https://learn.microsoft.com/en-us/azure/active-directory/develop/howto-create-service-principal-portal

[kirkog86]

SSO flow during login is a must-have feature! This way the aad-auth will become an actual ZERO TRUST module. However, I doubt it'll happen as it requires GDM rewrite.

[jamesps-ebi]

I wasn't able to get this working until I tried the suggestion from @peat-psuwit

Some better documentation about the Azure AD application setup would be appreciated.

[jibel]

Thanks for reporting this issue with the documentation. I'm adding it to our backlog.

[vstokesjr]

I found this third-party blog to be very helpful for setting up Azure AD and Ubuntu 23.04:

• https://blog.nevinpjohn.in/posts/AAD-auth-Ubuntu-Desktop-23.04/

[turowicz]

What API Permissions should be granted to the AD Application so the login works?

[Sirawudh]

What API Permissions should be granted to the AD Application so the login works?

I struggled with this as well and got my answer from

2.) Also, you need to add delegated API permission 'User.Read' for MS Graph and grant admin consent.

https://github.com/ubuntu/aad-auth/issues/195#issuecomment-1520825120

[turowicz]

Having issues even though everything is configured correctly: https://github.com/ubuntu/aad-auth/issues/420