Red Hat Summit Red Hat Summit지원콘솔개발자평가판 시작연락처

이 콘텐츠는 선택한 언어로 제공되지 않습니다.

Chapter 4. Authentication with Microsoft Azure

To authenticate users with Microsoft Azure:

  1. Enable authentication with Microsoft Azure.
  2. Provision users from Microsoft Azure to the software catalog.

4.1. Enabling authentication with Microsoft Azure
링크 복사

Red Hat Developer Hub includes a Microsoft Azure authentication provider that can authenticate users by using OAuth.

Prerequisites

  1. You have the permission to register an application in Microsoft Azure.

Procedure

  1. To allow Developer Hub to authenticate with Microsoft Azure, create an OAuth application in Microsoft Azure.

    1. In the Azure portal go to App registrations, create a New registration with the configuration:

      Name
      The application name in Azure, such as <My Developer Hub>.

    2. On the Home > App registrations > <My Developer Hub> > Manage > Authentication page, Add a platform, with the following configuration:

      Redirect URI
      Enter the backend authentication URI set in Developer Hub: https://<my_developer_hub_url>/api/auth/microsoft/handler/frame
      Front-channel logout URL
      Leave blank.
      Implicit grant and hybrid flows
      Leave all checkboxes cleared.

    3. On the Home > App registrations > <My Developer Hub> > Manage > API permissions page, Add a Permission, then add the following Delegated permission for the Microsoft Graph API:

      • email
      • offline_access
      • openid
      • profile
      • User.Read.All
      • GroupMember.Read.All
      • Optional custom scopes for the Microsoft Graph API that you define both in this section and in the app-config.yaml Developer Hub configuration file.

Your company might require you to grant admin consent for these permissions. Even if your company does not require admin consent, you might do so as it means users do not need to individually consent the first time they access backstage. To grant administrator consent, a directory administrator must go to the admin consent page and click Grant admin consent for COMPANY NAME.

  1. On the Home > App registrations > <My Developer Hub> > Manage > Certificates & Secrets page, in the Client secrets tab, create a New client secret.

  2. Save for the next step:

    • Directory (tenant) ID
    • Application (client) ID

    • Application (client) secret

      1. To add your Microsoft Azure credentials to Developer Hub, add the following key/value pairs to your Developer Hub secrets:

        AUTH_AZURE_TENANT_ID
        Enter your saved Directory (tenant) ID.
        AUTH_AZURE_CLIENT_ID
        Enter your saved Application (client) ID.
        AUTH_AZURE_CLIENT_SECRET
        Enter your saved Application (client) secret.

      2. Set up the Microsoft Azure authentication provider in your app-config.yaml file:

        app-config.yaml file fragment

        auth:
  environment: production
        1 
        
  providers:
    microsoft:
      production:
        clientId: ${AUTH_AZURE_CLIENT_ID}
        2 
        
        clientSecret: ${AUTH_AZURE_CLIENT_SECRET}
        tenantId: ${AUTH_AZURE_TENANT_ID}
signInPage: microsoft
        3
        Copy to Clipboard Toggle word wrap

        1
        Mark the environment as production and disable the Guest login option in the Developer Hub login page.
        2
        Apply the Microsoft Azure credentials configured in your Developer Hub secrets.
        3
        Set the Microsoft Azure provider as your Developer Hub sign-in provider.

  3. Optional: Consider adding following optional fields:

    domainHint

    Optional for single-tenant applications. You can reduce login friction for users with accounts in multiple tenants by automatically filtering out accounts from other tenants. If you want to use this parameter for a single-tenant application, uncomment and enter the tenant ID. If your application registration is multi-tenant, leave this parameter blank. For more information, see Home Realm Discovery.

    app-config.yaml file fragment with optional domainHint field

    auth:
  environment: production
  providers:
    microsoft:
      production:
        domainHint: ${AUTH_AZURE_TENANT_ID}
    Copy to Clipboard Toggle word wrap

    additionalScopes

    Optional for additional scopes. To add scopes for the application registration, uncomment and enter the list of scopes that you want to add. The default and mandatory value lists: 'openid', 'offline_access', 'profile', 'email', 'User.Read'.

    app-config.yaml file fragment with optional additionalScopes field

    auth:
  environment: production
  providers:
    microsoft:
      production:
        additionalScopes:
           - Mail.Send
    Copy to Clipboard Toggle word wrap

    sessionDuration

    Lifespan of the user session. Enter a duration in ms library format (such as '24h', '2 days'), ISO duration, or "human duration" as used in code.

    app-config-rhdh.yaml fragment with optional sessionDuration field

    auth:
  providers:
    microsoft:
      production:
        sessionDuration: { hours: 24 }
    Copy to Clipboard Toggle word wrap

    signIn
    resolvers
    After successful authentication, the user signing in must be resolved to an existing user in the Developer Hub catalog. To best match users securely for your use case, consider configuring a specific resolver. Enter the resolver list to override the default resolver: emailLocalPartMatchingUserEntityName.

    The authentication provider tries each sign-in resolver in order until it succeeds, and fails if none succeed.

    Warning

    In production mode, only configure one resolver to ensure users are securely matched.

    resolver

    Enter the sign-in resolver name. Available resolvers:

    • userIdMatchingUserEntityAnnotation
    • emailLocalPartMatchingUserEntityName
    • emailMatchingUserEntityProfileEmail
    dangerouslyAllowSignInWithoutUserInCatalog: true

    Configure the sign-in resolver to bypass the user provisioning requirement in the Developer Hub software catalog.

    Warning

    Use dangerouslyAllowSignInWithoutUserInCatalog to explore Developer Hub features, but do not use it in production.

    app-config-rhdh.yaml fragment with optional field to allow signing in users absent from the software catalog

    auth:
  environment: production
  providers:
    microsoft:
      production:
        clientId: ${AUTH_AZURE_CLIENT_ID}
        clientSecret: ${AUTH_AZURE_CLIENT_SECRET}
        tenantId: ${AUTH_AZURE_TENANT_ID}
        signIn:
          resolvers:
            - resolver: usernameMatchingUserEntityName
              dangerouslyAllowSignInWithoutUserInCatalog: true
signInPage: microsoft
    Copy to Clipboard Toggle word wrap

Note

This step is optional for environments with outgoing access restrictions, such as firewall rules. If your environment has such restrictions, ensure that your RHDH backend can access the following hosts:

  • login.microsoftonline.com: For obtaining and exchanging authorization codes and access tokens.
  • graph.microsoft.com: For retrieving user profile information (as referenced in the source code). If this host is unreachable, you might see an Authentication failed, failed to fetch user profile error when attempting to log in.

4.2. Provisioning users from Microsoft Azure to the software catalog
링크 복사

To authenticate users with Microsoft Azure, after Enabling authentication with Microsoft Azure, provision users from Microsoft Azure to the Developer Hub software catalog.

Prerequisites

Procedure

  1. Enable the backstage-plugin-catalog-backend-module-msgraph-dynamic plugin.

    dynamic-plugins.yaml file fragment

    plugins:
  - package: './dynamic-plugins/dist/backstage-plugin-catalog-backend-module-msgraph-dynamic'
    disabled: false
    Copy to Clipboard Toggle word wrap

  2. To enable Microsoft Azure member discovery, edit app-config.yaml, your custom Developer Hub configuration file::

    app-config.yaml fragment with mandatory microsoftGraphOrg fields

    catalog:
  providers:
    microsoftGraphOrg:
      providerId:
        target: https://graph.microsoft.com/v1.0
        tenantId: ${AUTH_AZURE_TENANT_ID}
        clientId: ${AUTH_AZURE_CLIENT_ID}
        clientSecret: ${AUTH_AZURE_CLIENT_SECRET}
        schedule:
          frequency: { hours: 1 }
          timeout: { minutes: 50 }
          initialDelay: { minutes: 50 }
    Copy to Clipboard Toggle word wrap

    target: https://graph.microsoft.com/v1.0
    Defines the MSGraph API endpoint the provider is connecting to. You might change this parameter to use a different version, such as the beta endpoint.
    tenandId, clientId and clientSecret
    Use the Developer Hub application information you created in Microsoft Azure and configured in OpenShift as secrets.
    schedule
    frequency
    Enter the schedule frequency as cron, ISO duration, or human duration as used in code.
    timeout
    Enter the schedule timeout as ISO duration or human duration as used in code.
    initialDelay

    Enter the schedule initial delay as ISO duration or human duration as used in code.

    Tip

    In a large organization, this plugin can take a long time. Therefore, avoid setting a low frequency or timeout when importing a large number of users and groups for the first time.

Optional: Consider adding the following optional microsoftGraphOrg.providerId fields:

authority: https://login.microsoftonline.com

Defines the authority used. Change the value to use a different authority, such as Azure US government. Default value: https://login.microsoftonline.com.

app-config.yaml fragment with optional queryMode field

catalog:
  providers:
    microsoftGraphOrg:
      providerId:
        authority: https://login.microsoftonline.com/
Copy to Clipboard Toggle word wrap

queryMode: basic | advanced

By default, the Microsoft Graph API only provides the basic feature set for querying. Certain features require advanced querying capabilities. See Microsoft Azure Advanced queries.

app-config.yaml fragment with optional queryMode field

catalog:
  providers:
    microsoftGraphOrg:
      providerId:
        queryMode: advanced
Copy to Clipboard Toggle word wrap

user.expand

To include the expanded resource or collection referenced by a single relationship (navigation property) in your results. Only one relationship can be expanded in a single request. See Microsoft Graph query expand parameter. This parameter can be combined with ] or xref:userFilter[.

app-config.yaml fragment with optional user.expand field

catalog:
  providers:
    microsoftGraphOrg:
      providerId:
        user:
          expand: manager
Copy to Clipboard Toggle word wrap

user.filter

To filter users. See Microsoft Graph API and Microsoft Graph API query filter parameters syntax. This parameter and ???TITLE??? are mutually exclusive, only one can be specified.

app-config.yaml fragment with optional user.filter field

catalog:
  providers:
    microsoftGraphOrg:
      providerId:
        user:
          filter: accountEnabled eq true and userType eq 'member'
Copy to Clipboard Toggle word wrap

user.loadPhotos: true | false

Load photos by default. Set to false to not load user photos.

app-config.yaml fragment with optional user.loadPhotos field

catalog:
  providers:
    microsoftGraphOrg:
      providerId:
        user:
          loadPhotos: true
Copy to Clipboard Toggle word wrap

user.select

Define the Microsoft Graph resource types to retrieve.

app-config.yaml fragment with optional user.select field

catalog:
  providers:
    microsoftGraphOrg:
      providerId:
        user:
          select: ['id', 'displayName', 'description']
Copy to Clipboard Toggle word wrap

userGroupMember.filter

To use group membership to get users. To filter groups and fetch their members. This parameter and ???TITLE??? are mutually exclusive, only one can be specified.

app-config.yaml fragment with optional userGroupMember.filter field

catalog:
  providers:
    microsoftGraphOrg:
      providerId:
        userGroupMember:
          filter: "displayName eq 'Backstage Users'"
Copy to Clipboard Toggle word wrap

userGroupMember.search

To use group membership to get users. To search for groups and fetch their members. This parameter and ???TITLE??? are mutually exclusive, only one can be specified.

app-config.yaml fragment with optional userGroupMember.search field

catalog:
  providers:
    microsoftGraphOrg:
      providerId:
        userGroupMember:
          search: '"description:One" AND ("displayName:Video" OR "displayName:Drive")'
Copy to Clipboard Toggle word wrap

group.expand

Optional parameter to include the expanded resource or collection referenced by a single relationship (navigation property) in your results. Only one relationship can be expanded in a single request. See https://docs.microsoft.com/en-us/graph/query-parameters#expand-parameter This parameter can be combined with ] instead of xref:userFilter[.

app-config.yaml fragment with optional group.expand field

catalog:
  providers:
    microsoftGraphOrg:
      providerId:
        group:
          expand: member
Copy to Clipboard Toggle word wrap

group.filter

To filter groups. See Microsoft Graph API query group syntax.

app-config.yaml fragment with optional group.filter field

catalog:
  providers:
    microsoftGraphOrg:
      providerId:
        group:
          filter: securityEnabled eq false and mailEnabled eq true and groupTypes/any(c:c+eq+'Unified')
Copy to Clipboard Toggle word wrap

group.search

To search for groups. See Microsoft Graph API query search parameter.

app-config.yaml fragment with optional group.search field

catalog:
  providers:
    microsoftGraphOrg:
      providerId:
        group:
          search: '"description:One" AND ("displayName:Video" OR "displayName:Drive")'
Copy to Clipboard Toggle word wrap

group.select

To define the Microsoft Graph resource types to retrieve.

app-config.yaml fragment with optional group.select field

catalog:
  providers:
    microsoftGraphOrg:
      providerId:
        group:
          select: ['id', 'displayName', 'description']
Copy to Clipboard Toggle word wrap

Verification

  1. Check the console logs to verify that the synchronization is completed.

    Successful synchronization example:

    backend:start: {"class":"MicrosoftGraphOrgEntityProvider$1","level":"info","message":"Read 1 msgraph users and 1 msgraph groups in 2.2 seconds. Committing...","plugin":"catalog","service":"backstage","taskId":"MicrosoftGraphOrgEntityProvider:default:refresh","taskInstanceId":"88a67ce1-c466-41a4-9760-825e16b946be","timestamp":"2024-06-26 12:23:42"}
backend:start: {"class":"MicrosoftGraphOrgEntityProvider$1","level":"info","message":"Committed 1 msgraph users and 1 msgraph groups in 0.0 seconds.","plugin":"catalog","service":"backstage","taskId":"MicrosoftGraphOrgEntityProvider:default:refresh","taskInstanceId":"88a67ce1-c466-41a4-9760-825e16b946be","timestamp":"2024-06-26 12:23:42"}
    Copy to Clipboard Toggle word wrap

  2. Log in with a Microsoft Azure account.
Red Hat logoGithubredditYoutubeTwitter

자세한 정보

평가판, 구매 및 판매

커뮤니티

Red Hat 문서 정보

Red Hat을 사용하는 고객은 신뢰할 수 있는 콘텐츠가 포함된 제품과 서비스를 통해 혁신하고 목표를 달성할 수 있습니다. 최신 업데이트를 확인하세요.

보다 포괄적 수용을 위한 오픈 소스 용어 교체

Red Hat은 코드, 문서, 웹 속성에서 문제가 있는 언어를 교체하기 위해 최선을 다하고 있습니다. 자세한 내용은 다음을 참조하세요.Red Hat 블로그.

Red Hat 소개

Red Hat은 기업이 핵심 데이터 센터에서 네트워크 에지에 이르기까지 플랫폼과 환경 전반에서 더 쉽게 작업할 수 있도록 강화된 솔루션을 제공합니다.

Theme

© 2026 Red Hat맨 위로 이동