Azure AD Authentication Configuration Guide

To configure Azure AD authentication, you'll need to enable the Azure Active Directory (Azure AD) feature in your Azure subscription. This is a crucial step, as it allows Azure AD to manage user identities and authenticate users for your applications.

Azure AD authentication is based on the OAuth 2.0 and OpenID Connect (OIDC) protocols, which provide secure and standardized ways to authenticate users. OAuth 2.0 is used for authorization, while OIDC is used for authentication.

To start, you'll need to create a directory in Azure AD, which will serve as the central location for managing user identities and authentication settings. This directory will contain all the necessary information, including user credentials, group memberships, and application permissions.

You can also configure Azure AD to use conditional access policies, which allow you to control access to your applications based on various conditions, such as user location, device type, and more.

To get started with Azure AD authentication, you'll need a few things. You'll need a configured Azure AD application, which is used as the resource for generating MSI access tokens.

The Azure auth method requires client credentials to access Azure APIs, including a configured Azure AD application and client credentials with read access to particular Azure Resource Manager resources.

Here's a quick rundown of what you'll need to configure an Azure AD identity provider in CloudBeaver:

You'll also need to enable managed identity on the resource that acquires the access token if Vault is hosted on Azure.

To get started with Azure AD authentication, you'll need an active Azure account. This is the foundation of the process.

You'll also need to configure an application in Azure AD. This involves providing settings such as a Redirect URL, which is the URL that Azure AD will send a response to about the authorization attempt.

To set up your Azure AD identity provider in CloudBeaver, you'll need to provide the following settings:

These settings are crucial for the authentication process to work smoothly.

To configure group membership claims in the manifest file, you'll need to add the following line of code to the root of the file: "groupMembershipClaims": "ApplicationGroup, SecurityGroup". This will allow you to include group membership claims in the token.

You can find this line of code by going to App Registrations, searching for your application, and clicking it. Then, click Manifest and add the line of code to the root of the file.

For example, if you want to include both application groups and security groups, you would use the following code: "groupMembershipClaims": "ApplicationGroup, SecurityGroup". This will allow you to include both types of groups in the token.

Here's a step-by-step guide to configuring group membership claims in the manifest file:

To configure Azure AD authentication, you'll need to create an application in the Azure AD if it doesn't already exist. This involves registering a new Enterprise Application in Azure AD according to the official Microsoft documentation.

You'll also need to configure the application secrets, which can be found in the official Microsoft documentation. Be sure to record the secret key as it can only be obtained once.

To limit access to authenticated users, you can set allowed_organizations to a comma- or space-separated list of tenant IDs. You can find tenant IDs on the Azure portal under Microsoft Entra ID -> Overview. For example, you can set allowed_organizations = 8bab1c86-8fba-33e5-2089-1d1c80ec267d to only give access to members of the tenant example.

To further limit user access, you can set allowed_groups to a comma- or space-separated list of group object IDs. You can find the Object ID of a group by clicking on the group and then clicking on Properties on the Azure portal. For example, you can set allowed_groups = 8bab1c86-8fba-33e5-2089-1d1c80ec267d to only give access to members of the group example.

Here's a summary of the steps:

To limit access to specific users, you can configure allowed domains. This option restricts access to users who belong to certain domains, which you can separate with a space or comma.

For example, if you want to limit access to users from the example.com domain, you can set the allowed_domains option accordingly.

To configure the redirect URIs for Azure AD, you need to set up the Login and Logout redirect URIs. The Login redirect URI is {$portalRoot}/Account/LogonCallback, and the Logout redirect URI is {$portalRoot}/Unauthorized.

You'll also need to register a new Enterprise Application in Azure AD, following the official Microsoft documentation. This will allow you to configure the application secrets, which are required for authorization.

To support reading and displaying user information, such as first and last name, you'll need to add the family_name and given_name fields to the response token. This can be done by following the official Microsoft documentation.

Here are the specific steps to configure the redirect link:

Configuring Azure AD via the command line interface (CLI) is a straightforward process. You can use the `vault` command to enable Azure authentication and configure the Azure auth method.

To enable Azure authentication, you need to use the `vault auth enable azure` command. This command is used to enable the Azure authentication method, which is required for machines to authenticate.

The `vault write auth/azure/config` command is used to configure the Azure auth method. This command requires the `tenant_id`, `resource`, `client_id`, and `client_secret` to be specified.

You can also use the `vault write azure/config` command to configure the audience claim value and the Client, Tenant IDs for plugin workload identity federation.

To create a role, you can use the `vault write auth/azure/role/dev-role` command. This command requires the `policies`, `bound_subscription_ids`, and `bound_resource_groups` to be specified.

Here are the specific commands you can use to configure Azure AD via the CLI:

To configure Azure AD authentication in Grafana, you'll need to set up application roles in the Azure Portal. This involves defining roles corresponding to each Grafana role: Viewer, Editor, and Admin. You can do this by going to App Registrations, searching for your application, and clicking it, then clicking App roles and creating a new one.

In Grafana, you can also configure Azure AD authentication using the UI. As a Grafana Admin, you can navigate to the Administration > Authentication > Azure AD page and fill in the form with your Azure AD OAuth2 client details. If you have a current configuration in the Grafana configuration file, the form will be pre-populated with those values.

You can also use environment variables to configure client_id and client_secret in Grafana. This is available in Grafana v9.3 and later versions.

To limit access to authenticated users who are members of specific groups in Azure AD, you can configure allowed groups in Grafana. This involves setting the allowed_groups option to a comma- or space-separated list of group object IDs.

You can find the object ID of a group by navigating to Microsoft Entra ID > Manage > Groups on the Azure portal, clicking on the group, and then clicking on Properties. The object ID is listed under Object ID.

To set the allowed_groups option, copy the object ID of the group you want to give access to, for example, 8bab1c86-8fba-33e5-2089-1d1c80ec267d.

You must also enable adding the group attribute to the tokens in your Entra ID App registration either from the Azure Portal or from the manifest file.

Here's an example of how to set the allowed_groups option:

Copy allowed_groups = 8bab1c86-8fba-33e5-2089-1d1c80ec267d

As a Grafana Admin, you can configure your Azure AD OAuth2 client from within Grafana using the Grafana UI. To do this, navigate to the Administration > Authentication > Azure AD page.

The form will be pre-populated with your current configuration if you have one in the Grafana configuration file. Otherwise, it will contain default values. Fill in the form with the necessary information.

After you've filled in the form, click Save to save the configuration. If the save was successful, Grafana will apply the new configurations.

You can reset changes you made in the UI back to the default values by clicking Reset. This will apply the configuration from the Grafana configuration file (if there is any configuration) or the default values.

Here's a step-by-step guide to resetting changes in the Grafana UI:

Grafana Application Roles are a crucial part of Azure AD Authentication in Grafana. You can configure them in the Azure Portal or in the manifest file.

To set up basic application roles for Grafana in the Azure Portal, follow these steps: Go to App Registrations, search for your application, and click it.Click App roles and then Create app role.Define a role corresponding to each Grafana role: Viewer, Editor, and Admin.

Alternatively, you can configure application roles for Grafana in the manifest file. This involves adding a Universally Unique Identifier to each role. You'll also need to replace "SOME_UNIQUE_ID" with the generated ID in the manifest file.

Here's a summary of the roles you can define in the manifest file:

Remember to click Save after making changes to the manifest file.

LDAP via AD is a viable option for Azure AD authentication in Grafana. You can connect your Linux VMs to Active Directory using LDAP and Kerberos via Azure AD Connect.

This approach allows you to join your Linux VMs to Active Directory, essentially bypassing native Azure AD authentication. However, it only makes sense if you don't already have an Active Directory instance, as the maintenance overhead would be too much.

With Azure AD Connect, you can connect your classic Active Directory to Azure AD, enabling LDAP and Kerberos authentication. This is especially useful if you already have an Active Directory instance integrated with Azure AD.

Alternatively, you can use Azure AD Domain Services ("AAD DS") to support LDAP and Kerberos authentication. AAD DS is a managed service that provides the necessary LDAP and Kerberos endpoints, allowing you to join Linux VMs indirectly to the Azure AD domain.

Microsoft officially supports this configuration, with instructions available for Red Hat and other Linux distributions.