Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

docs: Update Azure AD to Entra ID #16869

Merged
merged 2 commits into from
Jan 17, 2024
Merged

docs: Update Azure AD to Entra ID #16869

Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
0506116
Update Azure AD to Entra ID
ryanpflynn Jan 15, 2024
3b8fd12
Add formerly known as azuread
ryanpflynn Jan 17, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
51 changes: 27 additions & 24 deletions docs/operator-manual/user-management/microsoft.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,13 +1,16 @@
# Microsoft

* [Azure AD SAML Enterprise App Auth using Dex](#azure-ad-saml-enterprise-app-auth-using-dex)
* [Azure AD App Registration Auth using OIDC](#azure-ad-app-registration-auth-using-oidc)
* [Azure AD App Registration Auth using Dex](#azure-ad-app-registration-auth-using-dex)
!!! note ""
Entra ID was formerly known as Azure AD.

## Azure AD SAML Enterprise App Auth using Dex
### Configure a new Azure AD Enterprise App
* [Entra ID SAML Enterprise App Auth using Dex](#entra-id-saml-enterprise-app-auth-using-dex)
* [Entra ID App Registration Auth using OIDC](#entra-id-app-registration-auth-using-oidc)
* [Entra ID App Registration Auth using Dex](#entra-id-app-registration-auth-using-dex)

1. From the `Azure Active Directory` > `Enterprise applications` menu, choose `+ New application`
## Entra ID SAML Enterprise App Auth using Dex
### Configure a new Entra ID Enterprise App

1. From the `Microsoft Entra ID` > `Enterprise applications` menu, choose `+ New application`
2. Select `Non-gallery application`
3. Enter a `Name` for the application (e.g. `Argo CD`), then choose `Add`
4. Once the application is created, open it from the `Enterprise applications` menu.
Expand All @@ -31,9 +34,9 @@
- *Keep a copy of the encoded output to be used in the next section.*
9. From the `Single sign-on` menu, copy the `Login URL` parameter, to be used in the next section.

### Configure Argo to use the new Azure AD Enterprise App
### Configure Argo to use the new Entra ID Enterprise App

1. Edit `argocd-cm` and add the following `dex.config` to the data section, replacing the `caData`, `my-argo-cd-url` and `my-login-url` your values from the Azure AD App:
1. Edit `argocd-cm` and add the following `dex.config` to the data section, replacing the `caData`, `my-argo-cd-url` and `my-login-url` your values from the Entra ID App:

data:
url: https://my-argo-cd-url
Expand All @@ -56,7 +59,7 @@
groupsAttr: Group

2. Edit `argocd-rbac-cm` to configure permissions, similar to example below.
- Use Azure AD `Group IDs` for assigning roles.
- Use Entra ID `Group IDs` for assigning roles.
- See [RBAC Configurations](../rbac.md) for more detailed scenarios.

# example policy
Expand All @@ -70,11 +73,11 @@
p, role:org-admin, repositories, delete, *, allow
g, "84ce98d1-e359-4f3b-85af-985b458de3c6", role:org-admin # (azure group assigned to role)

## Azure AD App Registration Auth using OIDC
### Configure a new Azure AD App registration
#### Add a new Azure AD App registration
## Entra ID App Registration Auth using OIDC
### Configure a new Entra ID App registration
#### Add a new Entra ID App registration

1. From the `Azure Active Directory` > `App registrations` menu, choose `+ New registration`
1. From the `Microsoft Entra ID` > `App registrations` menu, choose `+ New registration`
2. Enter a `Name` for the application (e.g. `Argo CD`).
3. Specify who can use the application (e.g. `Accounts in this organizational directory only`).
4. Enter Redirect URI (optional) as follows (replacing `my-argo-cd-url` with your Argo URL), then choose `Add`.
Expand All @@ -92,29 +95,29 @@
- **Redirect URI:** `http://localhost:8085/auth/callback`
![Azure App registration's Authentication](../../assets/azure-app-registration-authentication.png "Azure App registration's Authentication")

#### Add credentials a new Azure AD App registration
#### Add credentials a new Entra ID App registration

1. From the `Certificates & secrets` menu, choose `+ New client secret`
2. Enter a `Name` for the secret (e.g. `ArgoCD-SSO`).
- Make sure to copy and save generated value. This is a value for the `client_secret`.
![Azure App registration's Secret](../../assets/azure-app-registration-secret.png "Azure App registration's Secret")

#### Setup permissions for Azure AD Application
#### Setup permissions for Entra ID Application

1. From the `API permissions` menu, choose `+ Add a permission`
2. Find `User.Read` permission (under `Microsoft Graph`) and grant it to the created application:
![Azure AD API permissions](../../assets/azure-api-permissions.png "Azure AD API permissions")
![Entra ID API permissions](../../assets/azure-api-permissions.png "Entra ID API permissions")
3. From the `Token Configuration` menu, choose `+ Add groups claim`
![Azure AD token configuration](../../assets/azure-token-configuration.png "Azure AD token configuration")
![Entra ID token configuration](../../assets/azure-token-configuration.png "Entra ID token configuration")

### Associate an Azure AD group to your Azure AD App registration
### Associate an Entra ID group to your Entra ID App registration

1. From the `Azure Active Directory` > `Enterprise applications` menu, search the App that you created (e.g. `Argo CD`).
- An Enterprise application with the same name of the Azure AD App registration is created when you add a new Azure AD App registration.
1. From the `Microsoft Entra ID` > `Enterprise applications` menu, search the App that you created (e.g. `Argo CD`).
- An Enterprise application with the same name of the Entra ID App registration is created when you add a new Entra ID App registration.
2. From the `Users and groups` menu of the app, add any users or groups requiring access to the service.
![Azure Enterprise SAML Users](../../assets/azure-enterprise-users.png "Azure Enterprise SAML Users")

### Configure Argo to use the new Azure AD App registration
### Configure Argo to use the new Entra ID App registration

1. Edit `argocd-cm` and configure the `data.oidc.config` and `data.url` section:

Expand Down Expand Up @@ -173,7 +176,7 @@

Refer to [operator-manual/argocd-rbac-cm.yaml](https://github.com/argoproj/argo-cd/blob/master/docs/operator-manual/argocd-rbac-cm.yaml) for all of the available variables.

## Azure AD App Registration Auth using Dex
## Entra ID App Registration Auth using Dex

Configure a new AD App Registration, as above.
Then, add the `dex.config` to `argocd-cm`:
Expand All @@ -200,9 +203,9 @@ data:

1. Open a new browser tab and enter your ArgoCD URI: https://`<my-argo-cd-url>`
![Azure SSO Web Log In](../../assets/azure-sso-web-log-in-via-azure.png "Azure SSO Web Log In")
3. Click `LOGIN VIA AZURE` button to log in with your Azure Active Directory account. You’ll see the ArgoCD applications screen.
3. Click `LOGIN VIA AZURE` button to log in with your Microsoft Entra ID account. You’ll see the ArgoCD applications screen.
![Azure SSO Web Application](../../assets/azure-sso-web-application.png "Azure SSO Web Application")
4. Navigate to User Info and verify Group ID. Groups will have your group’s Object ID that you added in the `Setup permissions for Azure AD Application` step.
4. Navigate to User Info and verify Group ID. Groups will have your group’s Object ID that you added in the `Setup permissions for Entra ID Application` step.
![Azure SSO Web User Info](../../assets/azure-sso-web-user-info.png "Azure SSO Web User Info")

### Log in to ArgoCD using CLI
Expand Down
Loading