Skip to content

Commit

Permalink
docs: Update Azure AD to Entra ID (argoproj#16869)
Browse files Browse the repository at this point in the history
* Update Azure AD to Entra ID

https://learn.microsoft.com/en-us/entra/fundamentals/new-name

Signed-off-by: Ryan Flynn <[email protected]>

* Add formerly known as azuread

Signed-off-by: Ryan Flynn <[email protected]>

---------

Signed-off-by: Ryan Flynn <[email protected]>
  • Loading branch information
ryanpflynn authored and clement-heetch committed Feb 12, 2024
1 parent f79a86b commit c248a38
Showing 1 changed file with 27 additions and 24 deletions.
51 changes: 27 additions & 24 deletions docs/operator-manual/user-management/microsoft.md
Original file line number Diff line number Diff line change
@@ -1,13 +1,16 @@
# Microsoft

* [Azure AD SAML Enterprise App Auth using Dex](#azure-ad-saml-enterprise-app-auth-using-dex)
* [Azure AD App Registration Auth using OIDC](#azure-ad-app-registration-auth-using-oidc)
* [Azure AD App Registration Auth using Dex](#azure-ad-app-registration-auth-using-dex)
!!! note ""
Entra ID was formerly known as Azure AD.

## Azure AD SAML Enterprise App Auth using Dex
### Configure a new Azure AD Enterprise App
* [Entra ID SAML Enterprise App Auth using Dex](#entra-id-saml-enterprise-app-auth-using-dex)
* [Entra ID App Registration Auth using OIDC](#entra-id-app-registration-auth-using-oidc)
* [Entra ID App Registration Auth using Dex](#entra-id-app-registration-auth-using-dex)

1. From the `Azure Active Directory` > `Enterprise applications` menu, choose `+ New application`
## Entra ID SAML Enterprise App Auth using Dex
### Configure a new Entra ID Enterprise App

1. From the `Microsoft Entra ID` > `Enterprise applications` menu, choose `+ New application`
2. Select `Non-gallery application`
3. Enter a `Name` for the application (e.g. `Argo CD`), then choose `Add`
4. Once the application is created, open it from the `Enterprise applications` menu.
Expand All @@ -31,9 +34,9 @@
- *Keep a copy of the encoded output to be used in the next section.*
9. From the `Single sign-on` menu, copy the `Login URL` parameter, to be used in the next section.

### Configure Argo to use the new Azure AD Enterprise App
### Configure Argo to use the new Entra ID Enterprise App

1. Edit `argocd-cm` and add the following `dex.config` to the data section, replacing the `caData`, `my-argo-cd-url` and `my-login-url` your values from the Azure AD App:
1. Edit `argocd-cm` and add the following `dex.config` to the data section, replacing the `caData`, `my-argo-cd-url` and `my-login-url` your values from the Entra ID App:

data:
url: https://my-argo-cd-url
Expand All @@ -56,7 +59,7 @@
groupsAttr: Group

2. Edit `argocd-rbac-cm` to configure permissions, similar to example below.
- Use Azure AD `Group IDs` for assigning roles.
- Use Entra ID `Group IDs` for assigning roles.
- See [RBAC Configurations](../rbac.md) for more detailed scenarios.

# example policy
Expand All @@ -70,11 +73,11 @@
p, role:org-admin, repositories, delete, *, allow
g, "84ce98d1-e359-4f3b-85af-985b458de3c6", role:org-admin # (azure group assigned to role)

## Azure AD App Registration Auth using OIDC
### Configure a new Azure AD App registration
#### Add a new Azure AD App registration
## Entra ID App Registration Auth using OIDC
### Configure a new Entra ID App registration
#### Add a new Entra ID App registration

1. From the `Azure Active Directory` > `App registrations` menu, choose `+ New registration`
1. From the `Microsoft Entra ID` > `App registrations` menu, choose `+ New registration`
2. Enter a `Name` for the application (e.g. `Argo CD`).
3. Specify who can use the application (e.g. `Accounts in this organizational directory only`).
4. Enter Redirect URI (optional) as follows (replacing `my-argo-cd-url` with your Argo URL), then choose `Add`.
Expand All @@ -92,29 +95,29 @@
- **Redirect URI:** `http://localhost:8085/auth/callback`
![Azure App registration's Authentication](../../assets/azure-app-registration-authentication.png "Azure App registration's Authentication")

#### Add credentials a new Azure AD App registration
#### Add credentials a new Entra ID App registration

1. From the `Certificates & secrets` menu, choose `+ New client secret`
2. Enter a `Name` for the secret (e.g. `ArgoCD-SSO`).
- Make sure to copy and save generated value. This is a value for the `client_secret`.
![Azure App registration's Secret](../../assets/azure-app-registration-secret.png "Azure App registration's Secret")

#### Setup permissions for Azure AD Application
#### Setup permissions for Entra ID Application

1. From the `API permissions` menu, choose `+ Add a permission`
2. Find `User.Read` permission (under `Microsoft Graph`) and grant it to the created application:
![Azure AD API permissions](../../assets/azure-api-permissions.png "Azure AD API permissions")
![Entra ID API permissions](../../assets/azure-api-permissions.png "Entra ID API permissions")
3. From the `Token Configuration` menu, choose `+ Add groups claim`
![Azure AD token configuration](../../assets/azure-token-configuration.png "Azure AD token configuration")
![Entra ID token configuration](../../assets/azure-token-configuration.png "Entra ID token configuration")

### Associate an Azure AD group to your Azure AD App registration
### Associate an Entra ID group to your Entra ID App registration

1. From the `Azure Active Directory` > `Enterprise applications` menu, search the App that you created (e.g. `Argo CD`).
- An Enterprise application with the same name of the Azure AD App registration is created when you add a new Azure AD App registration.
1. From the `Microsoft Entra ID` > `Enterprise applications` menu, search the App that you created (e.g. `Argo CD`).
- An Enterprise application with the same name of the Entra ID App registration is created when you add a new Entra ID App registration.
2. From the `Users and groups` menu of the app, add any users or groups requiring access to the service.
![Azure Enterprise SAML Users](../../assets/azure-enterprise-users.png "Azure Enterprise SAML Users")

### Configure Argo to use the new Azure AD App registration
### Configure Argo to use the new Entra ID App registration

1. Edit `argocd-cm` and configure the `data.oidc.config` and `data.url` section:

Expand Down Expand Up @@ -173,7 +176,7 @@

Refer to [operator-manual/argocd-rbac-cm.yaml](https://github.com/argoproj/argo-cd/blob/master/docs/operator-manual/argocd-rbac-cm.yaml) for all of the available variables.

## Azure AD App Registration Auth using Dex
## Entra ID App Registration Auth using Dex

Configure a new AD App Registration, as above.
Then, add the `dex.config` to `argocd-cm`:
Expand All @@ -200,9 +203,9 @@ data:
1. Open a new browser tab and enter your ArgoCD URI: https://`<my-argo-cd-url>`
![Azure SSO Web Log In](../../assets/azure-sso-web-log-in-via-azure.png "Azure SSO Web Log In")
3. Click `LOGIN VIA AZURE` button to log in with your Azure Active Directory account. You’ll see the ArgoCD applications screen.
3. Click `LOGIN VIA AZURE` button to log in with your Microsoft Entra ID account. You’ll see the ArgoCD applications screen.
![Azure SSO Web Application](../../assets/azure-sso-web-application.png "Azure SSO Web Application")
4. Navigate to User Info and verify Group ID. Groups will have your group’s Object ID that you added in the `Setup permissions for Azure AD Application` step.
4. Navigate to User Info and verify Group ID. Groups will have your group’s Object ID that you added in the `Setup permissions for Entra ID Application` step.
![Azure SSO Web User Info](../../assets/azure-sso-web-user-info.png "Azure SSO Web User Info")

### Log in to ArgoCD using CLI
Expand Down

0 comments on commit c248a38

Please sign in to comment.