[AzureAD] app roles for something similar to admin_groups and allowed_groups

[weisdd]

Proposed change

Currently, AzureAD has a very basic implementation, which doesn't allow to work with users based on their group membership for admin access or for prohibiting from entering JupyterHub.

IMO, app roles would be the simplest implementation. They can be added to a group (a user must be a direct member of the group), so we would see those roles in an ID token and can later decide whether a user can be considered an admin or prohibited from entering JupyterHub at all. We could see something similar (only for role mapping) in Grafana's AzureAD integration.

Alternative options

Based on what I learned about AzureAD in a couple of days (hadn't really worked with it before), linking anything to groups will require us to give additional privileges to an app and to send subsequent requests to another endpoint, which seems to be too complex.

Who would use this feature?

Anyone who relies on Azure AD.

(Optional): Suggest a solution

I'll open a PR with a draft implementation.

[Bfoster-melrok]

any updates on this? I'd really like to be able to use this feature.

[weisdd]

@Bfoster-melrok PR still stays without any comments from JupyterHub maintainers, so no further progress.

[malaman]

Hi from 2022 :) any plans to implement the requested feature ?

[christian-sapconet]

Hi from 2023 :)

I would also like to know if there are any plans to implement this, or if there is a workaround to get the same functuionality?