|
| 1 | +[[ms-graph-authz]] |
| 2 | +=== Microsoft Graph Authz |
| 3 | + |
| 4 | +The Microsoft Graph Authz plugin uses https://learn.microsoft.com/en-us/graph/api/user-list-memberof[Microsoft Graph] to look up group membership information from Microsoft Entra ID. |
| 5 | + |
| 6 | +This is primarily intended to work around the Microsoft Entra ID maximum group size limit (see https://learn.microsoft.com/en-us/security/zero-trust/develop/configure-tokens-group-claims-app-roles#group-overages[Group overages]). |
| 7 | + |
| 8 | +[discrete] |
| 9 | +[id="microsoft-graph-authz-install"] |
| 10 | +==== Installation |
| 11 | + |
| 12 | +ifeval::["{release-state}"=="unreleased"] |
| 13 | + |
| 14 | +WARNING: Version {version} of the Elastic Stack has not yet been released. |
| 15 | + |
| 16 | +endif::[] |
| 17 | + |
| 18 | +If you're using a self-managed Elasticsearch cluster, then this plugin can be installed using the plugin manager: |
| 19 | + |
| 20 | +["source","sh",subs="attributes,callouts"] |
| 21 | +---------------------------------------------------------------- |
| 22 | +sudo bin/elasticsearch-plugin install microsoft-graph-authz |
| 23 | +---------------------------------------------------------------- |
| 24 | + |
| 25 | +The plugin must be installed on every node in the cluster, and each node must |
| 26 | +be restarted after installation. |
| 27 | + |
| 28 | +You can download this plugin for <<plugin-management-custom-url,offline |
| 29 | +install>> from {plugin_url}/microsoft-graph-authz/microsoft-graph-authz-{version}.zip. To verify |
| 30 | +the `.zip` file, use the |
| 31 | +{plugin_url}/microsoft-graph-authz/microsoft-graph-authz-{version}.zip.sha512[SHA hash] or |
| 32 | +{plugin_url}/microsoft-graph-authz/microsoft-graph-authz-{version}.zip.asc[ASC key]. |
| 33 | + |
| 34 | +For all other deployment types, refer to <<plugin-management,plugin management>>. |
| 35 | + |
| 36 | +[discrete] |
| 37 | +[id="microsoft-graph-authz-remove"] |
| 38 | +==== Removal |
| 39 | + |
| 40 | +The plugin can be removed with the following command: |
| 41 | + |
| 42 | +["source","sh",subs="attributes,callouts"] |
| 43 | +---------------------------------------------------------------- |
| 44 | +sudo bin/elasticsearch-plugin remove {plugin_name} |
| 45 | +---------------------------------------------------------------- |
| 46 | + |
| 47 | +The node must be stopped before removing the plugin. |
| 48 | + |
| 49 | +[discrete] |
| 50 | +==== Configuration |
| 51 | +To learn how to configure the Microsoft Graph Authz plugin, refer to <<configure-elasticsearch,configuration properties>>. |
| 52 | + |
| 53 | +[[configure-azure]] |
| 54 | +==== Configure Azure |
| 55 | + |
| 56 | +To make API calls to Microsoft Graph, Elasticsearch requires Azure credentials with the correct permissions. |
| 57 | + |
| 58 | +[discrete] |
| 59 | +==== Create a custom Azure application |
| 60 | + |
| 61 | +. Log in to the https://portal.azure.com[Azure portal] and go to Microsoft Entra ID. |
| 62 | +. To register a new application, click *Enterprise applications* > *New application*. |
| 63 | +. Click *Create your own application*, provide a name, and select the *Integrate any other application you don’t find in the gallery* option. |
| 64 | + |
| 65 | +image::images/01-create-enterprise-application.png["create your own application" page] |
| 66 | + |
| 67 | +[discrete] |
| 68 | +==== Configure the custom Application |
| 69 | + |
| 70 | +. In the https://portal.azure.com[Azure portal], go to Microsoft Entra ID. |
| 71 | +. Under *App registrations*, select the *All applications* tab, and then find the application created in the previous section. |
| 72 | ++ |
| 73 | +image::images/02-find-app-registration.png[find your app registration] |
| 74 | +. Take note of the *Application (client) ID* and *Tenant ID* shown here. |
| 75 | +These will be needed to configure Elasticsearch later. |
| 76 | ++ |
| 77 | +image::images/03-get-application-id.png[get your application ID] |
| 78 | +. Under *Manage* > *Certificates & secrets* |
| 79 | +- Create a new client secret. |
| 80 | +- Take note of your new client secret's *Value*. |
| 81 | +This is needed later, and is only displayed once. |
| 82 | ++ |
| 83 | +image::images/04-create-client-secret.png[get your client secret] |
| 84 | +. Under *Manage* > *API permissions*, do the following: |
| 85 | +.. Go to *Add a permission*. |
| 86 | +.. Choose *Microsoft Graph*. |
| 87 | +.. Choose *Application permissions*. |
| 88 | +.. Select `Directory.ReadWrite.All`, `Group.ReadWrite.All`, `User.Read.All`. |
| 89 | ++ |
| 90 | +NOTE: An Azure Admin must approve these permissions before the credentials can be used. |
| 91 | ++ |
| 92 | +image::images/05-configure-api-permissions.png[configure api permissions] |
| 93 | + |
| 94 | +[[configure-elasticsearch]] |
| 95 | +==== Configuration properties |
| 96 | + |
| 97 | +After the plugin is installed, the following configuration settings are available: |
| 98 | + |
| 99 | +xpack.security.authc.realms.microsoft_graph.*.order:: |
| 100 | +The priority of the realm within the realm chain. |
| 101 | +Realms with a lower order are consulted first. |
| 102 | +The value must be unique for each realm. |
| 103 | +This setting is required. |
| 104 | + |
| 105 | +xpack.security.authc.realms.microsoft_graph.*.tenant_id:: |
| 106 | +Your Microsoft Entra ID https://learn.microsoft.com/en-us/entra/fundamentals/how-to-find-tenant[Tenant ID]. |
| 107 | +This setting is required. |
| 108 | + |
| 109 | +xpack.security.authc.realms.microsoft_graph.*.client_id:: |
| 110 | +The Application ID of the Enterprise Application you registered in the previous section. |
| 111 | +This setting is required. |
| 112 | + |
| 113 | +xpack.security.authc.realms.microsoft_graph.*.client_secret:: |
| 114 | +The client secret value for the Application you registered in the previous section. |
| 115 | +This is a sensitive setting, and must be configured in the Elasticsearch keystore. |
| 116 | +This setting is required. |
| 117 | + |
| 118 | +xpack.security.authc.realms.microsoft_graph.*.access_token_host:: |
| 119 | +A Microsoft login URL. |
| 120 | +Defaults to `https://login.microsoftonline.com`. |
| 121 | + |
| 122 | +xpack.security.authc.realms.microsoft_graph.*.graph_host:: |
| 123 | +The Microsoft Graph base address. |
| 124 | +Defaults to `https://graph.microsoft.com/v1.0`. |
| 125 | + |
| 126 | +xpack.security.authc.realms.microsoft_graph.*.http_request_timeout:: |
| 127 | +The timeout for individual Graph HTTP requests. |
| 128 | +Defaults to `10s`. |
| 129 | + |
| 130 | +xpack.security.authc.realms.microsoft_graph.*.execution_timeout:: |
| 131 | +The overall timeout for authorization requests to this plugin. |
| 132 | +Defaults to `30s`. |
| 133 | + |
| 134 | +Create a Microsoft Graph realm, following the above settings, then configure an existing realm to delegate to it using `authorization_realms`. |
| 135 | + |
| 136 | +For example, the following configuration authenticates via Microsoft Entra with SAML, and uses the Microsoft Graph plugin to look up group membership: |
| 137 | + |
| 138 | +[source,yaml] |
| 139 | +---- |
| 140 | +xpack.security.authc.realms.saml.kibana-realm: |
| 141 | + order: 2 |
| 142 | + attributes.principal: nameid |
| 143 | + attributes.groups: "http://schemas.microsoft.com/ws/2008/06/identity/claims/groups" |
| 144 | + idp.metadata.path: "https://login.microsoftonline.com/<Tenant ID>/federationmetadata/2007-06/federationmetadata.xml?appid=<Application_ID>" |
| 145 | + idp.entity_id: "https://sts.windows.net/<Tenant_ID>/" |
| 146 | + sp.entity_id: "<Kibana_Endpoint_URL>" |
| 147 | + sp.acs: "<Kibana_Endpoint_URL>/api/security/saml/callback" |
| 148 | + sp.logout: "<Kibana_Endpoint_URL>/logout" |
| 149 | + authorization_realms: microsoft_graph1 |
| 150 | +
|
| 151 | +xpack.security.authc.realms.microsoft_graph.microsoft_graph1: |
| 152 | + order: 3 |
| 153 | + tenant_id: "<Tenant_ID>" |
| 154 | + client_id: "<Graph_Application_ID>" |
| 155 | +---- |
0 commit comments