Important: This plug-in is maintained by the Jenkins community and won’t be supported by Microsoft as of February 29, 2024.
A Jenkins Plugin that supports authentication & authorization via Microsoft Entra ID (previously known as Azure Active Directory).
-
Open
Microsoft Entra ID
, clickApp registrations
-
Click
New registration
-
Add a new Reply URL
https://{your_jenkins_host}/securityRealm/finishLogin
. Make sure "Jenkins URL" (Manage Jenkins => Configure System) is set to the same value ashttps://{your_jenkins_host}
. -
Click
Certificates & secrets
-
To use a client secret: Under Client secrets, click
New client secret
to generate a new key. Copy thevalue
, it will be used asClient Secret
in Jenkins. -
To use a certificate: Under Certificates, click
Upload certificate
to upload your certificate. This certificate will be used for client certificate authentication in Jenkins. You will need to use the corresponding private key associated with this certificate in PEM format.
-
-
Click
Authentication
, under 'Implicit grant and hybrid flows', enableID tokens
. -
(optional) To enable Microsoft Entra ID group support: Click
Manifest
and modify the"groupMembershipClaims": null
value to"groupMembershipClaims": "SecurityGroup"
, then 'Save' it.
In order for Jenkins to be able to lookup data from Microsoft Entra ID it needs some Graph API permissions.
This is used for:
- Autocompleting users and groups on the 'Security' page
- Jenkins looking up the user, e.g. when you use the Rest API
- Group display name support (rather than just object ID)
Note: You can skip this part and just use the claims returned when authenticating.
-
Click
API permissions
-
Add a permission
-
Microsoft Graph
-
Application permissions
-
Add 'User.Read.All', 'Group.Read.All' and 'People.Read.All'
-
Click
Grant admin consent
. If you are not an admin in your tenant, please contact an admin to grant the permissions.
Click Manage Jenkins
in the left menu, then click Security
-
Check
Azure Active Directory
and fill in the credential. -
Click
Verify Application
to make sure your input is valid. -
Save the configuration, (logged-in users will have permission to do anything)
-
Log in with Microsoft Entra ID
-
Return to 'Security' to configure authorization
Note: if you haven't setup Graph API permissions, verify application will fail, skip over this step
Jenkins will match permissions based on the Object ID of a user or group.
This plugin extends the traditional Matrix Authorization Strategy with the ability to search by users / groups by display name when configuring the authorization rules.
To use this feature:
- Click
Azure Active Directory Matrix-based security
- Search for user in 'Azure User/group to add' and click Add
- Select the permission(s) in the table
- Click 'Apply'
You can still use other authorization strategies such as:
The following can normally be used:
- Object ID of user or group
- Display name of group (Only if Graph API permissions granted)
preferred_username
claim which is normally the 'User principal name', but not always.- User principal name (Rest API authentication only)
The plugin has full support for use in Configuration as Code and Job DSL.
For an example combining the two, see the configuration-as-code.yml test resource.
A: You can disable the security from the config file (see https://www.jenkins.io/doc/book/security/access-control/disable/)
Q: Why am I getting an error "insufficient privileges to complete the operation" even after having granted the permission?
A: It can take a long time for the privileges to take effect, which could be 10-20 minutes. Just wait for a while and try again.