aad-auth icon indicating copy to clipboard operation
aad-auth copied to clipboard
verified publisher icon ubuntu

Improve documentation around how to set up Azure AD application

Open peat-psuwit opened this issue 2 years ago • 7 comments

In README.md, it mentions the need to create an Azure AD application, and links to Azure's documentation for application registration in general. However,

  • It doesn't mention that "Allow public client flows" has to be enabled [1].
  • It doesn't mention that a consent has to be given to the application, either tenant-wide, or from user itself.
    • For tenant-wide admin consent, see [2].
    • For per-user consent, well... let's say that aad-auth isn't really designed to be used this way. However, if one isn't a tenant's administrator (as I'm not) and want to try this out, I can report that following this tutorial [3] (intended for a completely different purpose) does grant the necessary consent.
      • Off topic, but it would be nice if GDM could have the browser shown for the interactive authorization flow.
  • The linked document [4] mentions "assign(ing) a role to the application". However, since we're essentially a client-facing application, it's not required. This makes debugging more confusing.

The first 2 points is partially addressed as an error message improvement in #193, but it would be nice if Ubuntu documents how to configure the Azure AD application correctly in the first place (either here or in a documentation somewhere).

[1] https://learn.microsoft.com/en-us/azure/active-directory/develop/scenario-desktop-app-registration#redirect-uris [2] https://learn.microsoft.com/en-us/azure/active-directory/manage-apps/grant-admin-consent?pivots=portal [3] https://s4erka.wordpress.com/2021/03/26/azure-ad-application-to-test-oauth2-0/ [4] https://learn.microsoft.com/en-us/azure/active-directory/develop/howto-create-service-principal-portal

peat-psuwit avatar Apr 22 '23 18:04 peat-psuwit

SSO flow during login is a must-have feature! This way the aad-auth will become an actual ZERO TRUST module. However, I doubt it'll happen as it requires GDM rewrite.

bash-bandicoot avatar Apr 23 '23 11:04 bash-bandicoot

I wasn't able to get this working until I tried the suggestion from @peat-psuwit

Some better documentation about the Azure AD application setup would be appreciated.

jamesps-ebi avatar Apr 24 '23 08:04 jamesps-ebi

Thanks for reporting this issue with the documentation. I'm adding it to our backlog.

jibel avatar Apr 25 '23 08:04 jibel

I found this third-party blog to be very helpful for setting up Azure AD and Ubuntu 23.04:

  • https://blog.nevinpjohn.in/posts/AAD-auth-Ubuntu-Desktop-23.04/

vstokesjr avatar May 09 '23 17:05 vstokesjr

What API Permissions should be granted to the AD Application so the login works?

turowicz avatar Jun 20 '23 08:06 turowicz

What API Permissions should be granted to the AD Application so the login works?

I struggled with this as well and got my answer from

2.) Also, you need to add delegated API permission 'User.Read' for MS Graph and grant admin consent.

https://github.com/ubuntu/aad-auth/issues/195#issuecomment-1520825120

Sirawudh avatar Sep 07 '23 03:09 Sirawudh

Having issues even though everything is configured correctly: https://github.com/ubuntu/aad-auth/issues/420

turowicz avatar Dec 20 '23 10:12 turowicz