Sure - In AzureAD it is set up as a App Registration. The redirect url is: https://your_domain_name_here/api/enterprise/authentication/v2/oidc/callback
I then use the following token configuration:
The API permissions are setto pass email/openid/profile and User.Read as graph api permission (i tried playing around with them to no avail)
I can then login and I am prompted to consent every time for some reason but then I get that I don’t have the right permissions inside sensu to see anything. The configuration does seem to work properly as I see my Azure AD Groups GUID showing up in the profile section in Sensu when my user is logged in
My environment is just a single standalone server since this is for my home lab environment.
I don’t link my on premise AD with my cloud instance but one thing i though of doing was passing the sAMAccountName as a claim and trying to use that as a login ID and provide permissions based on the username rather than the AD groups that I pass from AzureAD. Mapping is all done via GUIDs at the moment since sensu won’t allow an @ sign in the username. I use puppet for my configuration and I have the following as rule bindings (i tried in the below with and without group_prefix setting configured):
sensu::resources::role_bindings: role_binding_administrators: ensure: present role_ref: type: Role name: role_administrators subjects: - type: Group name: oidc:608d8XXXXXXXXXXXXXX3d322 - type: Group name: 608d8XXXXXXXXXXXXXX3d322
Hope that is helpful (I had more pictures but I am limited by how many I can upload since I am a new poster!)