azure-ad-plugin icon indicating copy to clipboard operation
azure-ad-plugin copied to clipboard

Published 20 hours ago verified publisher icon jenkinsci

Azure Ad User doesn't belong to any role in jenkins

Open DW-gabriele opened this issue 4 years ago • 5 comments

Version report

Jenkins and plugins versions report:

Jenkins: 2.289.1
OS: Linux - 5.4.89+
---
workflow-api:2.46
conditional-buildstep:1.4.1
workflow-cps:2.92
mailer:1.34
script-security:1.77
analysis-model-api:10.2.5
role-strategy:3.1.1
git-client:3.7.2
pipeline-build-step:2.13
workflow-basic-steps:2.23
echarts-api:5.1.2-2
momentjs:1.1.1
workflow-scm-step:2.13
bootstrap5-api:5.0.1-2
pipeline-stage-step:2.5
antisamy-markup-formatter:2.1
font-awesome-api:5.15.3-3
command-launcher:1.6
pipeline-github-lib:1.0
authentication-tokens:1.4
handlebars:3.0.8
caffeine-api:2.9.1-23.v51c4e2c879c8
popper2-api:2.5.4-2
trilead-api:1.0.13
ssh-credentials:1.19
google-login:1.6
pipeline-model-extensions:1.8.5
throttle-concurrents:2.3
display-url-api:2.3.5
azure-ad:175.v5513346d764a
build-timestamp:1.0.3
run-condition:1.5
structs:1.23
configuration-as-code:1.51
build-monitor-plugin:1.12+build.201809061734
azure-commons:1.1.3
branch-api:2.6.4
python:1.3
ace-editor:1.1
git:4.7.2
bouncycastle-api:2.20
pipeline-graph-analysis:1.11
token-macro:2.15
bootstrap4-api:4.6.0-3
workflow-job:2.41
warnings-ng:9.3.0
pollscm:1.3.1
credentials:2.5
resource-disposer:0.16
google-oauth-plugin:1.0.6
pipeline-model-api:1.8.5
windows-slaves:1.8
data-tables-api:1.10.25-1
google-container-registry-auth:0.3
cloudbees-folder:6.15
matrix-auth:2.6.7
popper-api:1.16.1-2
pipeline-input-step:2.12
rebuild:1.32
ws-cleanup:0.39
parameterized-trigger:2.41
jquery3-api:3.6.0-1
jdk-tool:1.5
scm-api:2.6.4
build-blocker-plugin:1.7.7
parameterized-scheduler:1.0
matrix-project:1.19
git-server:1.9
snakeyaml-api:1.29.1
workflow-aggregator:2.6
email-ext:2.83
workflow-durable-task-step:2.39
build-failure-analyzer:2.0.0
lockable-resources:2.11
workflow-multibranch:2.26
azure-sdk:23.v5682688d0eef
credentials-binding:1.26
pipeline-rest-api:2.19
authorize-project:1.4.0
sshd:3.0.3
workflow-cps-global-lib:2.21
jackson2-api:2.12.3
junit:1.50
workflow-support:3.8
oauth-credentials:0.4
p4:1.11.5
pipeline-stage-tags-metadata:1.8.5
maven-plugin:3.12
forensics-api:1.1.0
plugin-util-api:2.3.0
timestamper:1.13
checks-api:1.7.0
pipeline-model-definition:1.8.5
pipeline-stage-view:2.19
apache-httpcomponents-client-4-api:4.5.13-1.0
workflow-step-api:2.23
emailext-template:1.2
jsch:0.1.55.2
durable-task:1.37
Office-365-Connector:4.15.0
docker-commons:1.17
prqa-plugin:3.3.3
plain-credentials:1.7
pipeline-milestone-step:1.3.2
javadoc:1.6
python-wrapper:1.0.3
  • What Operating System are you using (both controller, and any agents involved in the problem)?
Linux - 5.4.89+

Reproduction steps

  • User Logs In with Azure AD account (this happened to only one of our users for now)

Results

Expected result:

The user could connect with the good privileges. When checking the profile in the "People Page" the user groups should look like:

Unique Principal Name: [email protected]
Email: [email protected]
Object ID: **object-id**
Tenant ID: **tenant-id**
Groups: []

Jenkins User ID: [email protected]
Groups:
**ID LISTS**
GR_DEVOPS
GR_JENKINS
GR_TECH

Actual result:

User has access with Authenticated Users rights, but not the groups it belongs to. When checking the profile in the "People Page" the user groups are empty:

Azure Active Directory User

Unique Principal Name: [email protected]
Email: [email protected]
Object ID: **object-id**
Tenant ID: **tenant-id**
Groups: []

Jenkins User ID: [email protected]
Groups:
**object-id**

DW-gabriele avatar Jul 05 '21 15:07 DW-gabriele

is this related to https://github.com/jenkinsci/azure-ad-plugin/issues/148?

are you using a Microsoft 365 group or a mail enabled security group?

timja avatar Jul 05 '21 15:07 timja

It seems they are security groups, synced from our local AD. I updated to the latest version of the plugin as suggested in the other ticket, but it didn't seem to have solved the issue. I also tried to remove the user from the people view to see if it refreshed the correct groups at the next login, but it didn't seem to have worked

DW-gabriele avatar Jul 06 '21 10:07 DW-gabriele

Ok, after further investigation it seems that the issue is only related to the AAD global administrators, could it actually be an issue with the rights of service account, or maybe the plugins exclude them for some reason?

DW-gabriele avatar Jul 07 '21 08:07 DW-gabriele

The plugin doesn't exclude them, and shouldn't be an issue. It works with my global admin account just fine

timja avatar Jul 07 '21 09:07 timja