Azure AD API Removal
This document (000020682) is provided subject to the disclaimer at the end of this document.
Situation
Summary of Changes
Microsoft is ending support of the existing AzureAD Graph API before 2023. Accordingly, Rancher has updated our AzureAD auth provider to use the new Microsoft Graph API to access users and groups in Active Directory.
Details of Old vs New
Old
- ADAL is the authentication library we use to get access tokens to the deprecated Azure AD Graph API.
New
- MSAL is the new authentication library we will instead use to get access tokens to the new Microsoft Graph API.
Actions Required of Users
- New users of v2.6.x and v2.7.x will use the new Microsoft Graph API when they register Rancher with Azure AD. There will be no need for a transition.
- Existing users who have Azure AD as the auth provider will see an informational notification/banner that will urge them to upgrade Rancher's auth provider before the end of 2022. Beforehand, their app in Azure will need to have the necessary permissions for Rancher to be able to work with Users and Groups in AD. To upgrade, the UI will have a button to instruct the backend to use the new authentication/authorization flow without requiring Rancher admins to reconfigure the existing auth provider.
- AD admins must add the necessary Microsoft Graph permissions to their apps:
- In 2.6.X, Rancher needs User.Read.All and Group.Read.All - both must be Application (not Delegated) permissions.
-
In 2.7.X, Rancher needs permissions that allow the following actions:
- Get a user.
- List all users.
- List groups of which a given user is a member.
- Get a group.
- List all groups.
Here are a few examples of permission combinations that satisfy Rancher's needs:
1. Directory.Read.All
2. User.Read.All and GroupMember.Read.All
3. User.Read.All and Group.Read.All
Support Considerations or Gotchas
When you choose to upgrade the existing Azure AD auth provider configuration in Rancher, please keep in mind that all users' access tokens to the deprecated Azure AD Graph API will be deleted, since Rancher won't need them anymore because it won't be communicating with it.
Instead, Rancher will store in a secret only one access token to the new Microsoft Graph API - that of the service principal associated with the App registration in Azure AD. This token is refreshed once an hour (not in the background, but when its use triggers a refresh).
Additional migration instructions can be found at these links:
Disclaimer
This Support Knowledgebase provides a valuable tool for SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.