Azure AD OIDC group rights

Product: PowerShell Universal
Version: 3.2.5

Just configured my PSU instance to use OIDC against Azure AD. By default anyone from my tenant is allowed to access my PSU site, but is there a way to limit that based on AAD groups?

Assuming you are going to use groups for role assignments you need to go and edit the Roles under the Security menu its in the doc here PowerShell Universal - Ironman Software

Created a new role where I added this to the role.ps1:
New-PSURole -Name Administrator -ClaimType 'groups' -ClaimValue <azure group object id>

When pressing save my role.psi clears itself and my “New-PSURole” string is removed

If you are just looking to restrict access and don’t use claims within your app, you can just switch your enterprise app to “require user assignment” and assign your group to the app. Then AAD will enforce this.

1 Like