Important: This plug-in is maintained by the Jenkins community and won’t be supported by Microsoft as of February 29, 2024.
A Jenkins Plugin that supports authentication & authorization via Microsoft Entra ID (previously known as Azure Active Directory).
-
Open
Microsoft Entra ID
, clickApp registrations
-
Click
New registration
-
Add a new Reply URL
https://{your_jenkins_host}/securityRealm/finishLogin
. Make sure "Jenkins URL" (Manage Jenkins => Configure System) is set to the same value ashttps://{your_jenkins_host}
. -
Click
Certificates & secrets
, under Client secrets clickNew client secret
to generate a new key, copy thevalue
, it will be used asClient Secret
in Jenkins. -
Click
Authentication
, under 'Implicit grant and hybrid flows', enableID tokens
. -
(optional) To enable Microsoft Entra ID group support: Click
Manifest
and modify the"groupMembershipClaims": null
value to"groupMembershipClaims": "SecurityGroup"
, then 'Save' it.
In order for Jenkins to be able to lookup data from Microsoft Entra ID it needs some Graph API permissions.
This is used for:
- Autocompleting users and groups on the 'Security' page
- Jenkins looking up the user, e.g. when you use the Rest API
- Group display name support (rather than just object ID)
Note: You can skip this part and just use the claims returned when authenticating.
-
Click
API permissions
-
Add a permission
-
Microsoft Graph
-
Application permissions
-
Add 'User.Read.All', 'Group.Read.All' and 'People.Read.All'
-
Click
Grant admin consent
. If you are not an admin in your tenant, please contact an admin to grant the permissions.
Click Manage Jenkins
in the left menu, then click Security
-
Check
Azure Active Directory
and fill in the credential. -
Click
Verify Application
to make sure your input is valid. -
Save the configuration, (logged-in users will have permission to do anything)
-
Log in with Microsoft Entra ID
-
Return to 'Security' to configure authorization
Note: if you haven't setup Graph API permissions, verify application will fail, skip over this step
Jenkins will match permissions based on the Object ID of a user or group.
This plugin extends the traditional Matrix Authorization Strategy with the ability to search by users / groups by display name when configuring the authorization rules.
To use this feature:
- Click
Azure Active Directory Matrix-based security
- Search for user in 'Azure User/group to add' and click Add
- Select the permission(s) in the table
- Click 'Apply'
You can still use other authorization strategies such as:
The following can normally be used:
- Object ID of user or group
- Display name of group (Only if Graph API permissions granted)
preferred_username
claim which is normally the 'User principal name', but not always.- User principal name (Rest API authentication only)
The plugin has full support for use in Configuration as Code and Job DSL.
For an example combining the two, see the configuration-as-code.yml test resource.
A: You can disable the security from the config file (see https://www.jenkins.io/doc/book/security/access-control/disable/)
Q: Why am I getting an error "insufficient privileges to complete the operation" even after having granted the permission?
A: It can take a long time for the privileges to take effect, which could be 10-20 minutes. Just wait for a while and try again.