Hello guys,
we tried to use SSO with AzureAD and grafana on our own environment.
The connection between AzureAD and SSO works so far. All the users can log in with their credentials. Perfect so far.
Now i want to use a group in AzureAD as admin and another group as editor.
I read this documentation: https://grafana.com/docs/grafana/latest/auth/azuread/#create-the-azure-ad-application
Especially the part with Manifest and I added this in my section in AzureAD and added an id with uuidgen on my mac.
And here i have my issues now.
After I added everything and assigned the group to Grafana Admin and another group as Grafana Editor, it didn’t work. So everyone who logs in is still Editor. (we set Editor as default role).
Here my setting for role_attribute_path: from this page
role_attribute_path : contains(groups[*], 'Admin') && 'Admin' || contains(groups[*], 'Editor') && 'Editor' || 'Viewer'
I also tried this because AppRoles is the array:
role_attribute_path : contains(appRoles[*], 'Admin') && 'Admin' || contains(appRoles[*], 'Editor') && 'Editor' || 'Viewer'
But also these was not working.
After i tried to remove everyone from the users&group section, but everyone who has a company email address can still login which makes no sense for me now.
I also deleted the appRoles section from my manifest in AzureAD, but still ssame issue. Without delegation for who is allowed to use grafana sso, everyone with my domain email address has access.
Did anyone have the same problems? Or ideas to solve this?
Maybe just the role_attribute thing could help to resolve everything.