elastic · elasticsearchmachine · Jul 7, 2025 · Jul 7, 2025
@@ -204,6 +204,17 @@ steps:
           image: family/elasticsearch-ubuntu-2404
           machineType: n2-standard-8
           buildDirectory: /dev/shm/bk
+      - label: third-party / ms-graph
+        command: |
+          .ci/scripts/run-gradle.sh msGraphThirdPartyTest
+        env:
+          USE_3RD_PARTY_MS_GRAPH_CREDENTIALS: "true"
+        timeout_in_minutes: 30
+        agents:
+          provider: gcp
+          image: family/elasticsearch-ubuntu-2404
+          machineType: n2-standard-8
+          buildDirectory: /dev/shm/bk
   - group: lucene-compat
     steps:
       - label: "{{matrix.LUCENE_VERSION}} / lucene-compat"

@@ -623,6 +623,17 @@ steps:
           image: family/elasticsearch-ubuntu-2404
           machineType: n2-standard-8
           buildDirectory: /dev/shm/bk
+      - label: third-party / ms-graph
+        command: |
+          .ci/scripts/run-gradle.sh msGraphThirdPartyTest
+        env:
+          USE_3RD_PARTY_MS_GRAPH_CREDENTIALS: "true"
+        timeout_in_minutes: 30
+        agents:
+          provider: gcp
+          image: family/elasticsearch-ubuntu-2404
+          machineType: n2-standard-8
+          buildDirectory: /dev/shm/bk
   - group: lucene-compat
     steps:
       - label: "{{matrix.LUCENE_VERSION}} / lucene-compat"

@@ -48,6 +48,23 @@ if [[ "${USE_3RD_PARTY_GCS_CREDENTIALS:-}" == "true" ]]; then
   .buildkite/scripts/third-party-test-credentials.gcs.sh "$google_storage_service_account"
 fi
 
+if [[ "${USE_3RD_PARTY_MS_GRAPH_CREDENTIALS:-}" == "true" ]]; then
+  json=$(vault read -format=json secret/ci/elastic-elasticsearch/ms_graph_thirdparty_test_creds)
 
+  MS_GRAPH_TENANT_ID=$(echo "$json" | jq -r .data.tenant_id)
+  export ms_graph_tenant_id="$MS_GRAPH_TENANT_ID"
+
+  MS_GRAPH_CLIENT_ID=$(echo "$json" | jq -r .data.client_id)
+  export ms_graph_client_id="$MS_GRAPH_CLIENT_ID"
+
+  MS_GRAPH_CLIENT_SECRET=$(echo "$json" | jq -r .data.client_secret)
+  export ms_graph_client_secret="$MS_GRAPH_CLIENT_SECRET"
+
+  MS_GRAPH_USERNAME=$(echo "$json" | jq -r .data.username)
+  export ms_graph_username="$MS_GRAPH_USERNAME"
+
+  MS_GRAPH_GROUP_ID=$(echo "$json" | jq -r .data.group_id)
+  export ms_graph_group_id="$MS_GRAPH_GROUP_ID"
+fi
 
 unset json
diff --git a/x-pack/plugin/security/qa/microsoft-graph-authz-tests/build.gradle b/x-pack/plugin/security/qa/microsoft-graph-authz-tests/build.gradle
@@ -8,7 +8,34 @@ dependencies {
   clusterModules project(":modules:analysis-common")
 }
 
+boolean useFixture = false
+String msGraphTenantId = System.getenv("ms_graph_tenant_id")
+String msGraphClientId = System.getenv("ms_graph_client_id")
+String msGraphClientSecret = System.getenv("ms_graph_client_secret")
+String msGraphUsername = System.getenv("ms_graph_username")
+String msGraphGroupId = System.getenv("ms_graph_group_id")
+
+if (!msGraphTenantId || !msGraphClientId || !msGraphClientSecret || !msGraphUsername || !msGraphGroupId) {
+  msGraphTenantId = "tenant-id"
+  msGraphClientId = "client_id"
+  msGraphClientSecret = "client_secret"
+  msGraphUsername = "Thor"
+  msGraphGroupId = "test_group"
+  useFixture = true
+}
+
 tasks.named("javaRestTest").configure {
+  systemProperty "test.ms_graph.fixture", useFixture
+  systemProperty "test.ms_graph.tenant_id", msGraphTenantId
+  systemProperty "test.ms_graph.client_id", msGraphClientId
+  systemProperty "test.ms_graph.client_secret", msGraphClientSecret
+  systemProperty "test.ms_graph.username", msGraphUsername
+  systemProperty "test.ms_graph.group_id", msGraphGroupId
+
   // disable tests in FIPS mode as we need to use a custom truststore containing the certs used in MicrosoftGraphHttpFixture
   buildParams.withFipsEnabledOnly(it)
 }
+
+tasks.register("msGraphThirdPartyTest") {
+  dependsOn "javaRestTest"
+}
diff --git a/...st/java/org/elasticsearch/xpack/security/authz/microsoft/MicrosoftGraphAuthzPluginIT.java b/...st/java/org/elasticsearch/xpack/security/authz/microsoft/MicrosoftGraphAuthzPluginIT.java
@@ -17,6 +17,7 @@
 import org.elasticsearch.common.settings.SecureString;
 import org.elasticsearch.common.settings.Settings;
 import org.elasticsearch.common.util.concurrent.ThreadContext;
+import org.elasticsearch.core.Booleans;
 import org.elasticsearch.core.PathUtils;
 import org.elasticsearch.test.TestTrustStore;
 import org.elasticsearch.test.XContentTestUtils;
@@ -51,11 +52,12 @@
 
 public class MicrosoftGraphAuthzPluginIT extends ESRestTestCase {
 
-    private static final String TENANT_ID = "tenant-id";
-    private static final String CLIENT_ID = "client_id";
-    private static final String CLIENT_SECRET = "client_secret";
-    private static final String USERNAME = "Thor";
-    private static final String EXPECTED_GROUP = "test_group";
+    private static final String TENANT_ID = System.getProperty("test.ms_graph.tenant_id");
+    private static final String CLIENT_ID = System.getProperty("test.ms_graph.client_id");
+    private static final String CLIENT_SECRET = System.getProperty("test.ms_graph.client_secret");
+    private static final String USERNAME = System.getProperty("test.ms_graph.username");
+    private static final String EXPECTED_GROUP = System.getProperty("test.ms_graph.group_id");
+    private static final Boolean USE_FIXTURE = Booleans.parseBoolean(System.getProperty("test.ms_graph.fixture"));
 
     private static final List<MicrosoftGraphHttpFixture.TestUser> TEST_USERS = List.of(
         new MicrosoftGraphHttpFixture.TestUser(
@@ -90,12 +92,14 @@ public class MicrosoftGraphAuthzPluginIT extends ESRestTestCase {
     );
 
     @ClassRule
-    public static TestRule ruleChain = RuleChain.outerRule(graphFixture).around(trustStore).around(cluster);
+    public static TestRule ruleChain = USE_FIXTURE
+        ? RuleChain.outerRule(graphFixture).around(trustStore).around(cluster)
+        : RuleChain.outerRule(cluster);
 
     private static final String IDP_ENTITY_ID = "http://idp.example.org/";
 
     private static ElasticsearchCluster initTestCluster() {
-        return ElasticsearchCluster.local()
+        final var clusterBuilder = ElasticsearchCluster.local()
             .module("analysis-common")
             .setting("xpack.security.enabled", "true")
             .setting("xpack.license.self_generated.type", "trial")
@@ -118,15 +122,22 @@ private static ElasticsearchCluster initTestCluster() {
             .setting("xpack.security.authc.realms.microsoft_graph.microsoft_graph1.client_id", CLIENT_ID)
             .keystore("xpack.security.authc.realms.microsoft_graph.microsoft_graph1.client_secret", CLIENT_SECRET)
             .setting("xpack.security.authc.realms.microsoft_graph.microsoft_graph1.tenant_id", TENANT_ID)
-            .setting("xpack.security.authc.realms.microsoft_graph.microsoft_graph1.graph_host", () -> graphFixture.getBaseUrl() + "/v1.0")
-            .setting("xpack.security.authc.realms.microsoft_graph.microsoft_graph1.access_token_host", graphFixture::getBaseUrl)
             .setting("logger.org.elasticsearch.xpack.security.authz.microsoft", "TRACE")
             .setting("logger.com.microsoft", "TRACE")
-            .setting("logger.com.azure", "TRACE")
-            .systemProperty("javax.net.ssl.trustStore", () -> trustStore.getTrustStorePath().toString())
-            .systemProperty("javax.net.ssl.trustStoreType", "jks")
-            .systemProperty("tests.azure.credentials.disable_instance_discovery", "true")
-            .build();
+            .setting("logger.com.azure", "TRACE");
+
+        if (USE_FIXTURE) {
+            clusterBuilder.setting(
+                "xpack.security.authc.realms.microsoft_graph.microsoft_graph1.graph_host",
+                () -> graphFixture.getBaseUrl() + "/v1.0"
+            )
+                .setting("xpack.security.authc.realms.microsoft_graph.microsoft_graph1.access_token_host", graphFixture::getBaseUrl)
+                .systemProperty("javax.net.ssl.trustStore", () -> trustStore.getTrustStorePath().toString())
+                .systemProperty("javax.net.ssl.trustStoreType", "jks")
+                .systemProperty("tests.azure.credentials.disable_instance_discovery", "true");
+        }
+
+        return clusterBuilder.build();
     }
 
     private static String getIDPMetadata() {
@@ -210,6 +221,7 @@ public void testAuthenticationSuccessful() throws Exception {
     }
 
     public void testConcurrentAuthentication() throws Exception {
+        assumeTrue("This needs the test server as the real account only has one user configured", USE_FIXTURE);
         final var concurrentLogins = 3;
 
         final var resultsListener = new PlainActionFuture<Collection<Map<String, Object>>>();