Azure AD User not taking admin role

[agrondemiraj]

Jenkins and plugins versions report

Environment

I have a scenario that I need to configure Azure AD to manage the Jenkins users. I have installed Azure AD Plugin version 412.vdf45b_6a_b_da_81 from https://plugins.jenkins.io/azure-ad/

After configuration, I am able to correctly fetch the users, however when I am applying admin role to specific users, the users are not seeing Manage Jenkins or any Folder/View/Job which exists already in Jenkins.

Seems like the users are not being provided with Admin Role even though I am assigning the same.

![Uploading image.png…]() ![Uploading image.png…]() ![Uploading image.png…]() ![Uploading image.png…]() ![Uploading image.png…]()

What Operating System are you using (both controller, and any agents involved in the problem)?

RHEL 8.8 Single Jenkins Installation

Reproduction steps

1. Install Azure AD
2. Get details for the Jenkins App from Azure
3. Open Jenkins --> Manage Jenkins --> Security
4. Change Security Realm to Azure Active Directory and configure as per the details from Step 2 and Verify Configuration
5. Change Authorization to Role-Based Strategy and Save
6. From Manage Jenkins Page go to Manage and Assign Roles
7. Add a Role named "authenticated" and give Overall Read Access ( Otherwise I was getting the user does not have overall Read Permisision). Confusing that even admin user needed this !
8. Then go to Assign Roles and on Global roles add a user from the AD and tick the Admin Role and Save.
9. Try to login to Jenkins with this user from step 8.

Expected Results

User from AD with Admin Assigned Role to have Admin Role.

Actual Results

User with Admin Role in Global Roles not having Admin Privilege.

Anything else?

No response

Tasks

Preview Give feedback

1. Fetch e-mail id instead of ObjectID

[timja]

Looks solved from my reading of the jenkinsci/jenkins gitter channel, the remaining part appears to be a duplicate of #441.

Reply here if that's not the case and I'll re-open

[agrondemiraj]

Looks solved from my reading of the jenkinsci/jenkins gitter channel, the remaining part appears to be a duplicate of #441.

Reply here if that's not the case and I'll re-open

I actually wasn't aware that it is expecting objectId instead of e-mail address, so you can say from gitter channel I managed to add a user but this is definitely not the proper way.

I agree that #441 treats the same issue as here, but I have shared more details if needed from the developers.

We need to be able to add users using userPrincipalName

[timja]

I actually wasn't aware that it is expecting objectId instead of e-mail address, so you can say from gitter channel I managed to add a user but this is definitely not the proper way.

Why? UPN is not a stable identifier, see https://learn.microsoft.com/en-us/answers/questions/30564/upn-not-a-durable-identifier-for-the-user-and-shou

I agree that #441 treats the same issue as here, but I have shared more details if needed from the developers.

We need to be able to add users using userPrincipalName

You can if you use the AzureAD Matrix strategy: