I was able to get mine to “work” part of the way by using the below:
Ran sensuctl auth list type: OIDC api_version: authentication/v2 metadata: created_by: admin labels: sensu.io/managed_by: sensuctl name: AzureAD spec: additional_scopes: - email - upn - groups - username client_id: **REDACTED** (this is the app ID for AZURE) client_secret: **REDACTED** (secret used) groups_claim: groups groups_prefix: 'oidc:' redirect_uri: **YOUR_URL_HEREwith https at the front*/api/enterprise/authentication/v2/oidc/callback server: sts.windows.net/**TENANTID**/ << the slash at the end is important make sure you put https at the front username_claim: upn username_prefix: 'oidc:'
I then configured in my auzread the token claims id of upn/groups/email to be passed through, I am able to login successfully. I have two problems that I have not been able to solve yet though
First problem is that even when i add oidc:GUID_OF_MY_GROUP i can’t get role bindings to apply. You can’t just map a user with oidc:UserPrincipalName since special characters are not allowed in a username. I can actually see the GUID is passed when i look at the user i see oidc:[“GUID_HERE”,“ANOTHER_GUID_HERE”]. Passing the groups claim as a role and setting group_claim to target roles it still fails with the group_claim not being passed through
Second problem is that even though I have granted permission for the app to view account information I am still prompted every time I login to authorise the app to view basic user profile information even though I have admin consented in AzureAD.
Hopefully that is of some help although I am not 100% sure if I have even configured it correctly but it seems to be similar to what I have done previously from other configurations.
I had to remove some prefixes at the start given new user limit of posting URL links stopped me - apologies!