-
Notifications
You must be signed in to change notification settings - Fork 1.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
AZURE_AD_ALLOWED_PRINCIPALS #192
base: main
Are you sure you want to change the base?
Conversation
@microsoft-github-policy-service agree |
59f78fc
to
e3515ed
Compare
New environment variable AZURE_AD_ALLOWED_PRINCIPALS is a comma separated list of Object IDs for Azure AD user/group principals that are allowed to log in to the app. If the list is empty, all authenticated users are allowed to log in. This feature utilizes the Microsoft Graph API endpoint /me/getMemberObjects.
81424e0
to
e7e0726
Compare
This looks nice but one note may need to be added for the scope, User.Read requires having admin consent granted first. |
Hi @lyajedi, thanks for the comment, In my org, I belong to more than 200 groups, so my ID token cannot include a list of object ids in the groups claim. Instead, it has only a reference to an Azure AD Graph endpoint (graph.windows.net) as described in this document. My understanding is that there is no other way than using MS Graph call to correctly handle all the possible situations. |
I also have more than 200 groups, and grant admin consent requires approval, so I have 3 alternative solutions for this case:
For an AAD app, if admin consent is granted, can just enable I eventually added the access control with approach 2), as I don't want to spend time on going through the procedure and getting the approval for admin consent (may take weeks), I just changed your code under try-catch part like below isAllowed = false
decodedToken = jwt.decode(tokens.id_token);
isAllowed = azureAdAllowedPrincipals.some(group => decodedToken.groups.includes(group)); |
I had never realized the actual use case of group filters (your 2nd solution) before. It serves as an excellent workaround for the limitation of a maximum of 200 entries in a group claim. I agree that my code should reference the content of ID tokens exclusively, rather than going through the trouble of calling the MS Graph API. Other solutions do not support nested members in the group assigned to apps, so they were not considered as options from the beginning. |
Hi guys, |
@checkso Yes, it will work for groups or organizations with a small number of users. However, as I mentioned earlier, it may not be sufficient for large enterprises with complex, multi-level group hierarchies, as it does not support the inclusion of nested group members within an assigned group. |
@yaegashi yes you are right, might not work for large enterprises. |
I mentioned |
This pull request adds support for AZURE_AD_ALLOWED_PRINCIPALS, which allows specifying a comma-separated list of Object IDs for Entra ID (Azure AD) user/group principals that are allowed to log in to the app. If the list is empty, all authenticated users are allowed to log in.
This feature utilizes the Microsoft Graph API endpoint /me/getMemberObjects, enabling support for transitive group members. It is highly beneficial as it allows managing access for individuals within a multi-nested organizational group hierarchy, which is commonly found in large enterprise tenants.