I’ve been setting up OIDC with our Azure environment following the steps found here . Further research made me come across the next steps, how to assign a role to a user, for example this way but I also found references to being able to either access $User or $UserInfo in roles.ps1
However, up till now I have been unable to actually base any role on a group membership in AAD. It’s as if the process if failing somewhere, gives up and tells the user that access is not authorized. Anyone got any idea what I might be missing?
did you setup the Azure Enterprise app to allow only assigned users/groups (“Assignment required?” under Properties on the app) if yes, did you add the relevant groups to the app?
Are you actually including the user’s group memberships as part of the claim that AAD sends to PSU? Within the App Registration you have to go into the Token Configuration and add the groups claims. That way the actual user’s groups get included in the SAML claim so you can then base role memberships off the user’s group(s).
Yes, it was part of the documentation. In the Token Configuration I have set the groups claims and under manifest I set the groupMembershipClaims to all
If you’re still facing this issue, I would dump the $User variable to a JSON file on the PSU server and inspect it to validate what Azure is sending (or what PSU is seeing from Azure). Then work from there.