Azure AD Authorization is currently not working on Jenkins because it can't find the users, e.g. it is loading forever and does not return any user

[Raviyadav409]

We are using jenkins latest application version i.e 2.361.1

Jenkins application version :- Jenkins 2.361.1
Helm Version : 4.2.0
Azure AD Plugin Version: 267.v5b_dfb_514d9fd
Operating system: Linux/windows
Helm Chart Version link :- https://artifacthub.io/packages/helm/jenkinsci/jenkins/4.2.0
Web Browser: Any
Cluster- GKE CLUSTER
GKE Cluster Version:- v1.21.14-gke.700

Azure AD Authorization is currently not working on Jenkins because it can't find the users, e.g. it is loading forever and does not return any user, Even We have already make App registration and provided all permissions .

[KalleOlaviNiemitalo]

You can perhaps work around the problem by checking the "Disable graph integration" box in the Jenkins security settings. That way, Jenkins won't attempt to query all users and groups from Azure AD, and you have to paste the names and IDs as text instead. I do this to minimize the information leaks in case the Jenkins controller is somehow compromised.

[hawknewton]

Stumbled upon a workaround here, I haven't taken the time to dig into the code the figure out why it works, but if you follow these steps I think you'll have a working graph integration:

1. Enable Azure AD authentication, make sure you can use the test functionality to lookup your UPN and set access control to Logged in users can do anything. Click Save
2. Change authorization to Azure AD and click the Administrator checkbox next to Authenticated users. Also, click Disable graph integration and click Save
3. Go add some random entry under the matrix, I used my UPN and clicked the Administrator checkbox. Click save
4. Finally, go back and uncheck Disable graph integration and click save

At this point the group/user lookup works. I've done this on two distinct jenkins boxes and had the same result. You'll probably want to remove admin from authenticated users and add at least one entry for yourself. I think the bug had something to do with the list of authorized entities being empty, but that's just a guess. I've checked and the fix persists after restart.

Good luck!

[tgquan67]

@hawknewton I have tried your workaround but it did not work in my case.
In your case, is the UPN your email or AAD object ID? According to Jenkins' user profile page, my UPN should be the email, but I can only use the object ID as a valid UPN while testing connection for authentication or putting into the AAD authorization matrix.
EDIT: somehow it worked, but it definitely did not work when I was logged in as admin. It worked when I logged in as an Azure AD user though. So the flow that worked for me is:

1. Sign in as admin user, set up the AAD authentication. Save it.
2. In the Authorization section, select AAD Matrix-based security, and give Administer permission to Authenticated Users. Save it.
3. Log out of admin user and log in as an AAD user. Now you should be able to look up users/groups. Add yourself/your group there, give yourself Administer permission and remove Administer permission from Authenticated Users for safety.

[Raviyadav409]

@hawknewton @tgquan67
Hi guys, I tried the Both scenarios but it still not working , In both cases i found the same ACCESS DENIED Issue .

[tgquan67]

@Raviyadav409 when you tried what I posted, was you able to search for users/groups? Notice that you have to enable graph integration to be able to search, otherwise you will have to enter the user manually in a very specific and precise way, or else the user will not be granted anything. Basically in my case there are 2 requirements:

• You have to be signed in as an AAD user to search
• You have to grant Administer permission to Authenticated Users first before logging out of admin, or else you will be locked out, as admin user will not be available once you enable AAD authentication.

[Raviyadav409]

Hi @tgquan67 i have singed as AAD .For your reference i have attached screenshot as below .

And one thing i would like to mention is i'm not able to search for users/groups . We have already make App registration and provided all permissions. U can see all permission here as well .!!

[tgquan67]

On my side the permissions are different

I think you will at least need Directory.Read.All to search for users/groups (refer to #89).

[timja]

I think you will at least need Directory.Read.All

you shouldn't need that, is there any errors in the browser console or Jenkins logs?

[andysworkshop]

Stumbled upon a workaround here, I haven't taken the time to dig into the code the figure out why it works, but if you follow these steps I think you'll have a working graph integration:

1. Enable Azure AD authentication, make sure you can use the test functionality to lookup your UPN and set access control to `Logged in users can do anything`.  Click `Save`

2. Change authorization to `Azure AD` and click the `Administrator` checkbox next to `Authenticated users`.  Also, click `Disable graph integration` and click Save

3. Go add some random entry under the matrix, I used my UPN and clicked the `Administrator` checkbox.  Click save

4. Finally, go back and uncheck `Disable graph integration` and click save

At this point the group/user lookup works. I've done this on two distinct jenkins boxes and had the same result. You'll probably want to remove admin from authenticated users and add at least one entry for yourself. I think the bug had something to do with the list of authorized entities being empty, but that's just a guess. I've checked and the fix persists after restart.

Good luck!

This fixed it for me, thanks a lot. The logs were totally silent with no clues as to what the underlying root cause might be.

[Raviyadav409]

Hi @andysworkshop @tgquan67 @hawknewton @KalleOlaviNiemitalo Azure ad matrix based is working now but when we are providing the access the of All read permission to authenticated users managed jenkins is not visible on jenkins home page . And also when we are providing the admin permission to our user even i provide Administer to myself in that case also not able to find the managed jenkins on jenkins page .
Here is the attached Screenshot .

in above image u can see i have marked check to the Administer box for myself Yadav ravi and for other user as well .

in the above image clearly u can see managed jenkins is missing for the user having Administer access.

Apart from that i'm facing other issue regarding jenkins login . once i setup the things for azure ad security matrix based after that i'm not able to login in jenkins as admin . Even i'm using correct username and password for the jenkins .
here is the screenshot for that .

[tgquan67]

@Raviyadav409 I'm not sure about your first question, but for your second question, once you have set up a different authentication scheme, you will not be able to use admin user from the built-in database (refer to https://issues.jenkins.io/browse/JENKINS-15063 for more detail).

[cap-mevans]

Has anyone tried the update 2.361.2 to see if that resolves this issue?

[Raviyadav409]

Hii @cap-mevans sorry to infrom we haven't get this application update at container level .

U can check ArtifactHub is using 2.361.1 jenkins version

https://artifacthub.io/packages/helm/jenkinsci/jenkins

[timja]

artifact hub is now updated FWIW

[Raviyadav409]

Hi All,

I tested the azure ad matrix based security in latest jenkins version i.e 2.361.2 . In this version i'm also getting the same issue what i have raised earlier . U can find the that issue in below .

Hi @andysworkshop @tgquan67 @hawknewton @KalleOlaviNiemitalo Azure ad matrix based is working now but when we are providing the access the of All read permission to authenticated users managed jenkins is not visible on jenkins home page . And also when we are providing the admin permission to our user even i provide Administer to myself in that case also not able to find the managed jenkins on jenkins page . Here is the attached Screenshot . in above image u can see i have marked check to the Administer box for myself Yadav ravi and for other user as well .

in the above image clearly u can see managed jenkins is missing for the user having Administer access.

Apart from that i'm facing other issue regarding jenkins login . once i setup the things for azure ad security matrix based after that i'm not able to login in jenkins as admin . Even i'm using correct username and password for the jenkins . here is the screenshot for that .

[tgquan67]

Did you add those user by selecting from search box (with graph integration enabled) or you just forcefully added them there while graph integration disabled? Because even if the name there is a bit incorrect, the permission will not take effect. In my case, the names there are displayed in [email protected] (user-object-id-in-AD) or groupname (group-object-id-in-AD) format.
In the past I also tried to manually add my name there with graph integration disabled, but it's quite hard to figure out the correct format without seeing the correct it in your particular case at least once.

[Raviyadav409]

@tgquan67 FYI , for me search box is not appearing at azure ad matrix based security . so i just disable graph integration and then i added users manually .

[tgquan67]

One way to know if the name you added is correct is to enable graph integration again. I think when you enable it, any invalid entry you added will be crossed out.

[Raviyadav409]

@tgquan67 FYI , In my case every entry which i have added manaully is correct one and that entry is not getting crossed out . It means my all entries correct and authorized . But Still when i giving the admin access to that entry . That is not working as expected . It means that user or entry is not getting any admin permission .

[madhulikap0903]

Hi @andysworkshop @tgquan67 @hawknewton @KalleOlaviNiemitalo, I too have similar issue. I tested the azure ad matrix based security in latest jenkins version i.e 2.372. while i configure global security, user names are not able to find.

Below is the permission/admin conset on azure,

Any suggestion to fix this Jenkins Azure integration?

[tgquan67]

@madhulikap0903 the only thing I realized in my case is that you have to give all permissions to Authenticated Users, and then log out of admin account and relogin as an AD user. Only then could I search for AD users/groups.
Remember that once you log out of admin user, you won't be able to relogin as admin.

[timja]

You may not need to log out, saving the config and refreshing the page should be enough.

[mgrobelinp44]

I face the same issue within the /manage/configureSecurity/ global configuration page, BUT it works within a jobs configuration page.

Empty results list in global config

Working results list in job config*

Jenkins 2.361.3
Azure AD Plugin 267.v5b_dfb_514d9fd

(*) the first Enable project-based security config section appears to be for the Project-based matrix, the second for the Azure-based matrix

[doogalbeez]

I had this issue when setting the plugin up. All the previous steps were tried, or attempted, as I had to roll back the config to the point before I configured the Azure plugin a few times after getting locked out.

1. Configure the Security Realm for Azure Active Directory
2. Test if it finds an account
3. hit save
4. check the Authorization to Active directory matrix based box
5. do not hit save
6. as a precaution, since I've been locked out a few times, add Anonymous and Authenticated Users to Administer overall
7. save, log out.
8. Since anon has admin access (don't forget to disable afterward) continue to configure the settings
9. go back into the add azure user/group
10. test lookup for user/group
11. if it works, then add the correct user/group from azure ad, and pop that champagne to celebrate
12. if It's still not working, continue to the next steps
13. disable graph integration
14. hit save
15. go back to add the user/group
16. add the user's UPN or group's Object ID, set to admin for now
17. hit save
18. go back and uncheck Disable graph integration
19. hit save
20. go back and check if it’s working now (it did for me, ymmv)
    Hope it helps!

[ZamElek]

Have the same issue on Jenkins 2.346.3 and Azure AD Plugin Version 306.va_7083923fd50 it started working after re-enabling option "Disable graph integration"

[lukolszewski]

I'm having the same issue on Jenkins Jenkins 2.426.1 with latest Azure ad plugin on multiple servers. Disabling and reenabling Graph integration resolves it, but it cannot be done without disruption to group based security permissions. It should be considered priority 1 issue for this plugin.