add documentation for MS Graph plugin #130703
Conversation
richard-dennehy
added
>docs
|
🔍 Preview links for changed docs:
🔔 The preview site may take up to 3 minutes to finish building. These links will become live once it completes. |
richard-dennehy
force-pushed
the
ms-graph-docs
branch
from
8836670 to
e884907
Compare
richard-dennehy
force-pushed
the
ms-graph-docs
branch
from
e884907 to
1a01d28
Compare
richard-dennehy
force-pushed
the
ms-graph-docs
branch
3 times, most recently
from
a8599c7 to
c26b3c1
Compare
richard-dennehy
force-pushed
the
ms-graph-docs
branch
from
c26b3c1 to
425099e
Compare
|
Pinging @elastic/es-docs (Team:Docs) |
|
Pinging @elastic/es-security (Team:Security) |
richard-dennehy
force-pushed
the
ms-graph-docs
branch
from
88b47fd to
243e5a1
Compare
| This plugin can be installed using the plugin manager: | ||
|
|
||
| ```sh | ||
| sudo bin/elasticsearch-plugin install microsoft-graph-authz | ||
| ``` |
There was a problem hiding this comment.
does this plugin work for all deployment types, or just self-managed vanilla elasticsearch?
There was a problem hiding this comment.
I've been testing with Elastic Cloud, but it should work with any other deployment type
There was a problem hiding this comment.
in ecloud, I assume you can't install this way (with a sudo command).
consider linking to https://www.elastic.co/docs/reference/elasticsearch/plugins/plugin-management which explains how to install plugins in all environments.
you could say something like this near the end of the section
If you're using a [self-managed Elasticsearch cluster](docs-content:///deploy-manage/deploy/self-managed.md), then this plugin can be installed using the plugin manager:
<code>
For all other deployment types, refer to [](../plugin-management.md).
docs/reference/elasticsearch-plugins/ms-graph-authz-configure-azure.md
Outdated
Show resolved
Hide resolved
docs/reference/elasticsearch-plugins/ms-graph-authz-configure-azure.md
Outdated
Show resolved
Hide resolved
| :alt: get your application ID | ||
| ::: | ||
| 4) Under Manage > Certificates & secrets | ||
| - Create a new client secret |
There was a problem hiding this comment.
| - Create a new client secret | |
| - Create a new client secret. |
| 5) Under Manage > API permissions | ||
| - Go to “Add a permission” | ||
| - Choose “Microsoft Graph” | ||
| - Choose “Application permissions” | ||
| - Select “Directory.ReadWrite.All, Group.ReadWrite.All, User.Read.All” | ||
| - Note that an Azure Admin will need to approve these permissions before the credentials can be used | ||
| :::{image} ./images/ms-graph-authz/05-configure-api-permissions.png | ||
| :alt: configure api permissions | ||
| ::: |
There was a problem hiding this comment.
ordered procedures of more than two items need a numbered list
| 5) Under Manage > API permissions | |
| - Go to “Add a permission” | |
| - Choose “Microsoft Graph” | |
| - Choose “Application permissions” | |
| - Select “Directory.ReadWrite.All, Group.ReadWrite.All, User.Read.All” | |
| - Note that an Azure Admin will need to approve these permissions before the credentials can be used | |
| :::{image} ./images/ms-graph-authz/05-configure-api-permissions.png | |
| :alt: configure api permissions | |
| ::: | |
| 5) Under **Manage** > **API permissions**, do the following: | |
| 1. Go to **Add a permission**. | |
| 2. Choose **Microsoft Graph**. | |
| 3. Choose **Application permissions**. | |
| 4. Select the following permissions: `Directory.ReadWrite.All`, `Group.ReadWrite.All`, and `User.Read.All`. | |
| Note that an Azure Admin will need to approve these permissions before the credentials can be used | |
| :::{image} ./images/ms-graph-authz/05-configure-api-permissions.png | |
| :alt: configure API permissions | |
| ::: |
docs/reference/elasticsearch-plugins/ms-graph-authz-configure-elasticsearch.md
Outdated
Show resolved
Hide resolved
|
|
||
| Create a Microsoft Graph realm, following the above settings, then configure an existing realm to delegate to it using `authorization_realms`. | ||
|
|
||
| For example, to authenticate via Microsoft Entra with SAML and use the Microsoft Graph plugin to look up group membership: |
There was a problem hiding this comment.
| For example, to authenticate via Microsoft Entra with SAML and use the Microsoft Graph plugin to look up group membership: | |
| For example, the following configuration authenticates using Microsoft Entra with SAML, and uses the Microsoft Graph plugin to look up group membership: |
richard-dennehy
force-pushed
the
ms-graph-docs
branch
from
e1d3a15 to
8efd005
Compare
richard-dennehy
force-pushed
the
ms-graph-docs
branch
from
8efd005 to
6f0bf3e
Compare
shainaraskas
left a comment
shainaraskas
left a comment
There was a problem hiding this comment.
Provided some small additional pieces of feedback.
The only things I'd consider to be blocking are:
- explaining how to set up the graph plugin on other deployment types because they won't accept a
sudocommand anywhere - linking down to the config topics from the parent authz topic :)
approving to unblock but suggest taking a look at these items if you can.
Also wonder if these settings will get added to the core elasticsearch reference or just here.
| stack: ga 9.1 | ||
| --- | ||
|
|
||
| # Authentication Plugins [authentication] |
There was a problem hiding this comment.
| # Authentication Plugins [authentication] | |
| # Authentication plugins [authentication] |
| stack: ga 9.1 | ||
| --- | ||
|
|
||
| # Microsoft Graph Authz [ms-graph-authz] |
There was a problem hiding this comment.
would be good if this page would call down to the two child pages, e.g. in a new Configuration H2 on this page, just saying "To learn how to configure the Microsoft Graph Authz plugin, refer to ."
or something similar.
otherwise, it's unclear that there are configs needed unless you're looking at the sidebar.
| This plugin can be installed using the plugin manager: | ||
|
|
||
| ```sh | ||
| sudo bin/elasticsearch-plugin install microsoft-graph-authz | ||
| ``` |
There was a problem hiding this comment.
in ecloud, I assume you can't install this way (with a sudo command).
consider linking to https://www.elastic.co/docs/reference/elasticsearch/plugins/plugin-management which explains how to install plugins in all environments.
you could say something like this near the end of the section
If you're using a [self-managed Elasticsearch cluster](docs-content:///deploy-manage/deploy/self-managed.md), then this plugin can be installed using the plugin manager:
<code>
For all other deployment types, refer to [](../plugin-management.md).
| To make API calls to Microsoft Graph, Elasticsearch requires Azure credentials | ||
| with the correct permissions. | ||
|
|
||
| ## Create a custom Azure Application |
There was a problem hiding this comment.
| ## Create a custom Azure Application | |
| ## Create a custom Azure application |
| 4. Select `Directory.ReadWrite.All`, `Group.ReadWrite.All`, `User.Read.All`. | ||
|
|
||
| Note that an Azure Admin will need to approve these permissions before the | ||
| credentials can be used |
There was a problem hiding this comment.
| credentials can be used | |
| credentials can be used. | |
| ::: | |
| 3. Choose **Application permissions**. | ||
| 4. Select `Directory.ReadWrite.All`, `Group.ReadWrite.All`, `User.Read.All`. | ||
|
|
||
| Note that an Azure Admin will need to approve these permissions before the |
There was a problem hiding this comment.
| Note that an Azure Admin will need to approve these permissions before the | |
| :::{note} | |
| An Azure Admin must approve these permissions before the |
|
|
||
| # Configuration properties [configuration-properties] | ||
|
|
||
| After the plugin is installed, the following configuration settings are |
There was a problem hiding this comment.
consider flipping this page around. explain how to configure, and then create an ## Available settings section with the full setting reference.
|
Pinging @elastic/core-docs (Team:Docs) |
3 participants
Add documentation for the plugin introduced in #128396
This will need a manual backport to 8.19