Red Hat Summit Red Hat SummitApoyoConsolaDesarrolladoresIniciar una pruebaContacto

Este contenido no está disponible en el idioma seleccionado.

Chapter 5. Authentication with Microsoft Azure

To authenticate users with Microsoft Azure:

  1. Enable authentication with Microsoft Azure.
  2. Provision users from Microsoft Azure to the software catalog.

5.1. Enabling authentication with Microsoft Azure
Copiar enlace

Red Hat Developer Hub includes a Microsoft Azure authentication provider that can authenticate users by using OAuth.

Prerequisites

  1. You have the permission to register an application in Microsoft Azure.

Procedure

  1. To allow Developer Hub to authenticate with Microsoft Azure, create an OAuth application in Microsoft Azure.

    1. In the Azure portal go to App registrations, create a New registration with the configuration:

      Name
      The application name in Azure, such as <My Developer Hub>.

    2. On the Home > App registrations > <My Developer Hub> > Manage > Authentication page, Add a platform, with the following configuration:

      Redirect URI
      Enter the backend authentication URI set in Developer Hub: https://<my_developer_hub_url>/api/auth/microsoft/handler/frame
      Front-channel logout URL
      Leave blank.
      Implicit grant and hybrid flows
      Leave all checkboxes cleared.

    3. On the Home > App registrations > <My Developer Hub> > Manage > API permissions page, Add a Permission, then add the following Delegated permission for the Microsoft Graph API:

      • email
      • offline_access
      • openid
      • profile
      • User.Read
      • Optional custom scopes for the Microsoft Graph API that you define both in this section and in the app-config.yaml Developer Hub configuration file.

Your company might require you to grant admin consent for these permissions. Even if your company does not require admin consent, you might do so as it means users do not need to individually consent the first time they access backstage. To grant administrator consent, a directory administrator must go to the admin consent page and click Grant admin consent for COMPANY NAME.

  1. On the Home > App registrations > <My Developer Hub> > Manage > Certificates & Secrets page, in the Client secrets tab, create a New client secret.

  2. Save for the next step:

    • Directory (tenant) ID
    • Application (client) ID

    • Application (client) secret

      1. To add your Microsoft Azure credentials to Developer Hub, add the following key/value pairs to your Developer Hub secrets:

        AUTH_AZURE_TENANT_ID
        Enter your saved Directory (tenant) ID.
        AUTH_AZURE_CLIENT_ID
        Enter your saved Application (client) ID.
        AUTH_AZURE_CLIENT_SECRET
        Enter your saved Application (client) secret.

      2. Set up the Microsoft Azure authentication provider in your app-config.yaml file:

        app-config.yaml file fragment

        auth:
  environment: production
        1 
        
  providers:
    microsoft:
      production:
        clientId: ${AUTH_AZURE_CLIENT_ID}
        2 
        
        clientSecret: ${AUTH_AZURE_CLIENT_SECRET}
        tenantId: ${AUTH_AZURE_TENANT_ID}
signInPage: microsoft
        3
        Copy to Clipboard Toggle word wrap

        1
        Mark the environment as production and disable the Guest login option in the Developer Hub login page.
        2
        Apply the Microsoft Azure credentials configured in your Developer Hub secrets.
        3
        Set the Microsoft Azure provider as your Developer Hub sign-in provider.

        1. Optional: Consider adding following optional fields:

          domainHint

          Optional for single-tenant applications. You can reduce login friction for users with accounts in multiple tenants by automatically filtering out accounts from other tenants. If you want to use this parameter for a single-tenant application, uncomment and enter the tenant ID. If your application registration is multi-tenant, leave this parameter blank. For more information, see Home Realm Discovery.

          app-config.yaml file fragment with optional domainHint field

          auth:
  environment: production
  providers:
    microsoft:
      production:
        domainHint: ${AUTH_AZURE_TENANT_ID}
          Copy to Clipboard Toggle word wrap

          additionalScopes

          Optional for additional scopes. To add scopes for the application registration, uncomment and enter the list of scopes that you want to add. The default and mandatory value lists: 'openid', 'offline_access', 'profile', 'email', 'User.Read'.

          app-config.yaml file fragment with optional additionalScopes field

          auth:
  environment: production
  providers:
    microsoft:
      production:
        additionalScopes:
           - Mail.Send
          Copy to Clipboard Toggle word wrap

          sessionDuration

          Lifespan of the user session. Enter a duration in ms library format (such as '24h', '2 days'), ISO duration, or "human duration" as used in code.

          app-config-rhdh.yaml fragment with optional sessionDuration field

          auth:
  providers:
    microsoft:
      production:
        sessionDuration: { hours: 24 }
          Copy to Clipboard Toggle word wrap

          signIn
          resolvers
          After successful authentication, the user signing in must be resolved to an existing user in the Developer Hub catalog. To best match users securely for your use case, consider configuring a specific resolver. Enter the resolver list to override the default resolver: emailLocalPartMatchingUserEntityName.

          The authentication provider tries each sign-in resolver in order until it succeeds, and fails if none succeed.

          Warning

          In production mode, only configure one resolver to ensure users are securely matched.

          resolver

          Enter the sign-in resolver name. Available resolvers:

          • userIdMatchingUserEntityAnnotation
          • emailLocalPartMatchingUserEntityName
          • emailMatchingUserEntityProfileEmail
          dangerouslyAllowSignInWithoutUserInCatalog: true

          Configure the sign-in resolver to bypass the user provisioning requirement in the Developer Hub software catalog.

          Warning

          Use dangerouslyAllowSignInWithoutUserInCatalog to explore Developer Hub features, but do not use it in production.

          app-config-rhdh.yaml fragment with optional field to allow signing in users absent from the software catalog

          auth:
  environment: production
  providers:
    microsoft:
      production:
        clientId: ${AUTH_AZURE_CLIENT_ID}
        clientSecret: ${AUTH_AZURE_CLIENT_SECRET}
        tenantId: ${AUTH_AZURE_TENANT_ID}
        signIn:
          resolvers:
            - resolver: usernameMatchingUserEntityName
              dangerouslyAllowSignInWithoutUserInCatalog: true
signInPage: microsoft
          Copy to Clipboard Toggle word wrap

        Note

        This step is optional for environments with outgoing access restrictions, such as firewall rules. If your environment has such restrictions, ensure that your RHDH backend can access the following hosts:

        • login.microsoftonline.com: For obtaining and exchanging authorization codes and access tokens.
        • graph.microsoft.com: For retrieving user profile information (as referenced in the source code). If this host is unreachable, you might see an Authentication failed, failed to fetch user profile error when attempting to log in.

        = Provisioning users from Microsoft Azure to the software catalog

        To authenticate users with Microsoft Azure, after Enabling authentication with Microsoft Azure, provision users from Microsoft Azure to the Developer Hub software catalog.

        Prerequisites

        Procedure

        • To enable Microsoft Azure member discovery, edit your custom Developer Hub ConfigMap, such as app-config-rhdh, and add following lines to the app-config.yaml content: 
catalog:
  providers:
    microsoftGraphOrg:
      providerId:
        target: https://graph.microsoft.com/v1.0
        tenantId: ${AUTH_AZURE_TENANT_ID}
        clientId: ${AUTH_AZURE_CLIENT_ID}
        clientSecret: ${AUTH_AZURE_CLIENT_SECRET}
Copy to Clipboard Toggle word wrap
target: https://graph.microsoft.com/v1.0
Defines the MSGraph API endpoint the provider is connecting to. You might change this parameter to use a different version, such as the beta endpoint.
tenandId, clientId and clientSecret
Use the Developer Hub application information you created in Microsoft Azure and configured in OpenShift as secrets.

Optional: Consider adding the following optional microsoftGraphOrg.providerId fields:

authority: https://login.microsoftonline.com

Defines the authority used. Change the value to use a different authority, such as Azure US government. Default value: https://login.microsoftonline.com.

app-config.yaml fragment with optional queryMode field

catalog:
  providers:
    microsoftGraphOrg:
      providerId:
        authority: https://login.microsoftonline.com/
Copy to Clipboard Toggle word wrap

queryMode: basic | advanced

By default, the Microsoft Graph API only provides the basic feature set for querying. Certain features require advanced querying capabilities. See Microsoft Azure Advanced queries.

app-config.yaml fragment with optional queryMode field

catalog:
  providers:
    microsoftGraphOrg:
      providerId:
        queryMode: advanced
Copy to Clipboard Toggle word wrap

user.expand

To include the expanded resource or collection referenced by a single relationship (navigation property) in your results. Only one relationship can be expanded in a single request. See Microsoft Graph query expand parameter. This parameter can be combined with ???TITLE??? or ???TITLE???.

app-config.yaml fragment with optional user.expand field

catalog:
  providers:
    microsoftGraphOrg:
      providerId:
        user:
          expand: manager
Copy to Clipboard Toggle word wrap

user.filter

To filter users. See Microsoft Graph API and Microsoft Graph API query filter parameters syntax. This parameter and ???TITLE??? are mutually exclusive, only one can be specified.

app-config.yaml fragment with optional user.filter field

catalog:
  providers:
    microsoftGraphOrg:
      providerId:
        user:
          filter: accountEnabled eq true and userType eq 'member'
Copy to Clipboard Toggle word wrap

user.loadPhotos: true | false

Load photos by default. Set to false to not load user photos.

app-config.yaml fragment with optional user.loadPhotos field

catalog:
  providers:
    microsoftGraphOrg:
      providerId:
        user:
          loadPhotos: true
Copy to Clipboard Toggle word wrap

user.select

Define the Microsoft Graph resource types to retrieve.

app-config.yaml fragment with optional user.select field

catalog:
  providers:
    microsoftGraphOrg:
      providerId:
        user:
          select: ['id', 'displayName', 'description']
Copy to Clipboard Toggle word wrap

userGroupMember.filter

To use group membership to get users. To filter groups and fetch their members. This parameter and ???TITLE??? are mutually exclusive, only one can be specified.

app-config.yaml fragment with optional userGroupMember.filter field

catalog:
  providers:
    microsoftGraphOrg:
      providerId:
        userGroupMember:
          filter: "displayName eq 'Backstage Users'"
Copy to Clipboard Toggle word wrap

userGroupMember.search

To use group membership to get users. To search for groups and fetch their members. This parameter and ???TITLE??? are mutually exclusive, only one can be specified.

app-config.yaml fragment with optional userGroupMember.search field

catalog:
  providers:
    microsoftGraphOrg:
      providerId:
        userGroupMember:
          search: '"description:One" AND ("displayName:Video" OR "displayName:Drive")'
Copy to Clipboard Toggle word wrap

group.expand

Optional parameter to include the expanded resource or collection referenced by a single relationship (navigation property) in your results. Only one relationship can be expanded in a single request. See https://docs.microsoft.com/en-us/graph/query-parameters#expand-parameter This parameter can be combined with ???TITLE??? instead of ???TITLE???.

app-config.yaml fragment with optional group.expand field

catalog:
  providers:
    microsoftGraphOrg:
      providerId:
        group:
          expand: member
Copy to Clipboard Toggle word wrap

group.filter

To filter groups. See Microsoft Graph API query group syntax.

app-config.yaml fragment with optional group.filter field

catalog:
  providers:
    microsoftGraphOrg:
      providerId:
        group:
          filter: securityEnabled eq false and mailEnabled eq true and groupTypes/any(c:c+eq+'Unified')
Copy to Clipboard Toggle word wrap

group.search

To search for groups. See Microsoft Graph API query search parameter.

app-config.yaml fragment with optional group.search field

catalog:
  providers:
    microsoftGraphOrg:
      providerId:
        group:
          search: '"description:One" AND ("displayName:Video" OR "displayName:Drive")'
Copy to Clipboard Toggle word wrap

group.select

To define the Microsoft Graph resource types to retrieve.

app-config.yaml fragment with optional group.select field

catalog:
  providers:
    microsoftGraphOrg:
      providerId:
        group:
          select: ['id', 'displayName', 'description']
Copy to Clipboard Toggle word wrap

schedule.frequency

To specify custom schedule frequency. Supports cron, ISO duration, and "human duration" as used in code.

app-config.yaml fragment with optional schedule.frequency field

catalog:
  providers:
    microsoftGraphOrg:
      providerId:
        schedule:
          frequency: { hours: 1 }
Copy to Clipboard Toggle word wrap

schedule.timeout

To specify custom timeout. Supports ISO duration and "human duration" as used in code.

app-config.yaml fragment with optional schedule.timeout field

catalog:
  providers:
    microsoftGraphOrg:
      providerId:
        schedule:
          timeout: { minutes: 50 }
Copy to Clipboard Toggle word wrap

schedule.initialDelay

To specify custom initial delay. Supports ISO duration and "human duration" as used in code.

app-config.yaml fragment with optional schedule.initialDelay field

catalog:
  providers:
    microsoftGraphOrg:
      providerId:
        schedule:
          initialDelay: { seconds: 15}
Copy to Clipboard Toggle word wrap

Verification

  1. Check the console logs to verify that the synchronization is completed.

    Successful synchronization example:

    backend:start: {"class":"MicrosoftGraphOrgEntityProvider$1","level":"info","message":"Read 1 msgraph users and 1 msgraph groups in 2.2 seconds. Committing...","plugin":"catalog","service":"backstage","taskId":"MicrosoftGraphOrgEntityProvider:default:refresh","taskInstanceId":"88a67ce1-c466-41a4-9760-825e16b946be","timestamp":"2024-06-26 12:23:42"}
backend:start: {"class":"MicrosoftGraphOrgEntityProvider$1","level":"info","message":"Committed 1 msgraph users and 1 msgraph groups in 0.0 seconds.","plugin":"catalog","service":"backstage","taskId":"MicrosoftGraphOrgEntityProvider:default:refresh","taskInstanceId":"88a67ce1-c466-41a4-9760-825e16b946be","timestamp":"2024-06-26 12:23:42"}
    Copy to Clipboard Toggle word wrap

  2. Log in with a Microsoft Azure account.
Volver arriba
Red Hat logoGithubredditYoutubeTwitter

Aprender

Pruebe, compre y venda

Comunidades

Acerca de la documentación de Red Hat

Ayudamos a los usuarios de Red Hat a innovar y alcanzar sus objetivos con nuestros productos y servicios con contenido en el que pueden confiar. Explore nuestras recientes actualizaciones.

Hacer que el código abierto sea más inclusivo

Red Hat se compromete a reemplazar el lenguaje problemático en nuestro código, documentación y propiedades web. Para más detalles, consulte el Blog de Red Hat.

Acerca de Red Hat

Ofrecemos soluciones reforzadas que facilitan a las empresas trabajar en plataformas y entornos, desde el centro de datos central hasta el perímetro de la red.

Theme

© 2025 Red Hat