I was able to get mine to “work” part of the way by using the below:
Ran sensuctl auth list
type: OIDC
api_version: authentication/v2
metadata:
created_by: admin
labels:
sensu.io/managed_by: sensuctl
name: AzureAD
spec:
additional_scopes:
- email
- upn
- groups
- username
client_id: **REDACTED** (this is the app ID for AZURE)
client_secret: **REDACTED** (secret used)
groups_claim: groups
groups_prefix: 'oidc:'
redirect_uri: **YOUR_URL_HEREwith https at the front*/api/enterprise/authentication/v2/oidc/callback
server: sts.windows.net/**TENANTID**/ << the slash at the end is important make sure you put https at the front
username_claim: upn
username_prefix: 'oidc:'
I then configured in my auzread the token claims id of upn/groups/email to be passed through, I am able to login successfully. I have two problems that I have not been able to solve yet though
First problem is that even when i add oidc:GUID_OF_MY_GROUP i can’t get role bindings to apply. You can’t just map a user with oidc:UserPrincipalName since special characters are not allowed in a username. I can actually see the GUID is passed when i look at the user i see oidc:[“GUID_HERE”,“ANOTHER_GUID_HERE”]. Passing the groups claim as a role and setting group_claim to target roles it still fails with the group_claim not being passed through
Second problem is that even though I have granted permission for the app to view account information I am still prompted every time I login to authorise the app to view basic user profile information even though I have admin consented in AzureAD.
Hopefully that is of some help although I am not 100% sure if I have even configured it correctly but it seems to be similar to what I have done previously from other configurations.
I had to remove some prefixes at the start given new user limit of posting URL links stopped me - apologies!