group membership management

[idaaas22]

With this new feature, I can login on workstation with my O365 account , the user account is created automatically, but there is no group membership management.
Idealy, aad-auth should request group membership from Azure AD, and on /etc/aad.conf file we should manage groups mapping.
Ex: if my user is member of "ubuntu_root" group in Azure AD, an automatic process should add the user is sudo group in all ubuntu workstation when the user open a session.
The process should refresh all groups membership (add and remove) at each logon.
Group management (creating and removing group) should be managed by another process
Regards

[denisonbarbosa]

Hey, @idaaas22. This is not on our roadmap yet, but I'll mark it as an enhancement suggestion, since it is indeed a nice functionality to add. Thanks for the feedback!

[ryanhulet]

This makes aad-auth essentially unusable. I need to be able to assign groups on dynamic user creation or else users have no permissions. It is unreasonable to manually add users to groups after they are created from AAD

[dmulder]

aad-auth should request group memberships using the graph url /me/memberOf. You just have to authenticate the user with the GroupMember.Read.All scope.

[ruben-herold]

To keep it in the first way easy, why can we not configured the aad-auth this way:

[domain.com]
tenant_id = aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa
app_id = bbbbbbbb-bbbb-bbbb-bbbb-bbbbbbbbbbbb
offline_credentials_expiration = 30
homedir = /home/%u
shell = /bin/bash
default_groups = users,sudo, ...

So that new users will add automatically to this groups?
This should be simple to realize and could be a massiv improvments for the most users.

Longterm it would be better to be able to map them via aad and so son...

[michael-staffa]

Bumping this as well. Authentication with AAD without authorization seems a bit pointless.

[hcuk94]

Bumping this also - being able to use AAD groups (directly or indirectly) for the likes of sudoers feels important for this to be able to seriously replace an LDAP config.

[bjoernwuest]

I want to add a bump as well. For a small number of users, it may be ok to setup groups (e.g. also via cron-job and querying the Entra ID using an admin account), but it would be really nice if groups would be read during login and that you can configure a mapping table to Linux roles.
I am just not sure if new roles shall be created or not.

[dmulder]

The device needs to be enrolled in order to support reading group memberships.

[ryanhulet]

@dmulder even with devices enrolled I am seeing no membership attributes

[dmulder]

@dmulder even with devices enrolled I am seeing no membership attributes

aad-auth doesn't provide device enrollment. I was saying this isn't possible without significant changes to aad-auth.

[dmulder]

Take a look at #467. I've emailed the Ubuntu devs about collaboration on improving aad-auth, but they stopped responding months ago. The Samba and SSSD teams are working on the same functionality as aad-auth, but doing it the right way. When the recordings land for SambaXP 2024, check out Alexander Bokovoy's talk 'POSIX identities out of OAuth2 identity providers: how to redesign SSSD and Samba?' and my talk 'Bridging Worlds: Linux and Azure AD'. Or just try out Himmelblau now, which is the staging ground for the Samba/Winbind work.