Microsoft Azure Entra-ID / OpenID Connect sync groups

P

PartitionPrankster

New Member
Proxmox Subscriber
Jul 11, 2025
6
0
1
Hey,

I am successfully using the OpenID Connect Server to authenticate with my PVE Cluster.

The configuration I currently have:

Bildschirmfoto 2025-08-20 um 09.26.33.png

That works like a charm, and I am able to use SSO to sign in.

But:

It does not sync any groups, so if somebody logs in for the first time, they have no permission have to be added to a group manually.
Instead, I would prefer to have Groups/Roles in Azure autocreated in Proxmox on login.

My assumption is, that either the Groups Claim is wrong, or I need some more scopes defined in Azure.

Does anyone have the group sync working with EntraID and can tell me, what scopes I need to assign in Azure and what "Groups Claim" value I have to define?

I already checked those pages, but without success:
- https://bugzilla.proxmox.com/show_bug.cgi?id=4411
- https://forum.proxmox.com/threads/openid-connect-default-group.103394/#post-445387
- https://pve.proxmox.com/pve-docs/chapter-pveum.html#pveum_openid
 
Did anyone figure this out. I am trying to work out the exact same thing as well. I dont want to have to manually go assign users to specific groups once they have been added. Documentation says it should happen automatically but i cant figure out what I need to put into groups-claim or how that should be configured on the app registration side in Entra ID.
 
I figured this out. So under the App registrations go to token configuration and add a claim. Add a groups claim and check security. Hit save.

On the proxmox side. Under Datacenter>Permissions>Realms
Groups Claim: Blank by default enter "groups" this will allow Proxmox to read groups from your Azure tenant.

I wanted "IT Staff" in our case to have admin access to proxmox. So under Datacenter>Permissions>Groups

I added a group for IT Staff and then gave it permissions (PVEAdmin) in this case. Now in my case because there is a space between IT and staff (IT Staff) and not something like "IT-Staff" proxmox barked at it. However there is a work around. You can used the group id in Azure as the group name in proxmox and it will read it successfully and grant users access that are in my "IT Staff" group. Now here is the kicker....the group id needs the name of your realm attached. So in my case it looked like the following string. I sanitized for obvious reasons. aaaa1111-1aa1-2222-3a33-aaaaaa111111-ABC-Azure
So in this case "aaaa1111-1aa1-2222-3a33-aaaaaa111111" is the group id (Only had to do this because the group name I am referencing has a space, otherwise use your group name) and then add what I named my realm in proxmox. I named my realm "ABC-Azure". Once I did this, the group mapping worked. I am still fine tuning a few things such as launching from the myapps portal but I think this may give others a good start.

You can have proxmox read all the groups associated with Azure by ticking the Autocreate groups box on your realm
 
2000gtacoma said:
I figured this out. So under the App registrations go to token configuration and add a claim. Add a groups claim and check security. Hit save.

On the proxmox side. Under Datacenter>Permissions>Realms
Groups Claim: Blank by default enter "groups" this will allow Proxmox to read groups from your Azure tenant.

I wanted "IT Staff" in our case to have admin access to proxmox. So under Datacenter>Permissions>Groups

I added a group for IT Staff and then gave it permissions (PVEAdmin) in this case. Now in my case because there is a space between IT and staff (IT Staff) and not something like "IT-Staff" proxmox barked at it. However there is a work around. You can used the group id in Azure as the group name in proxmox and it will read it successfully and grant users access that are in my "IT Staff" group. Now here is the kicker....the group id needs the name of your realm attached. So in my case it looked like the following string. I sanitized for obvious reasons. aaaa1111-1aa1-2222-3a33-aaaaaa111111-ABC-Azure
So in this case "aaaa1111-1aa1-2222-3a33-aaaaaa111111" is the group id (Only had to do this because the group name I am referencing has a space, otherwise use your group name) and then add what I named my realm in proxmox. I named my realm "ABC-Azure". Once I did this, the group mapping worked. I am still fine tuning a few things such as launching from the myapps portal but I think this may give others a good start.

You can have proxmox read all the groups associated with Azure by ticking the Autocreate groups box on your realm
Click to expand...
I'm attempting to set this up now...


A restriction to be aware of on the MS side related to groups..

https://learn.microsoft.com/en-us/s...velop/configure-tokens-group-claims-app-roles

"When the user is a member of too many groups, there are no groups in the token."

It is a little more work, but according to the document,

Under the 'App registration -> Manage -> Token configuration -> Add optional claim', you should select "Groups assigned to the application (recommended for large enterprise companies to avoid exceeding the limit on the number of groups a token can emit)'

Then under the 'Enterprise Application -> Manage -> Users and groups -> Add user/group', assign the groups to the app, with your users assigned to those group..

You can also restrict access to the Proxmox interface by setting the 'Enterprise Application -> Manage -> Properties -> Assignment required?' to 'Yes'. A user not part of one the groups assigned to the Enterprise Application can't login (instead of being logged in with no permissions in the UI)

For groups, It seems that by default, the groups are sent using the UUID. Meaning in proxmox the groups will be <UUID-REALM>. You can change this on the MS side by doing the following:

Under 'App registration -> Manage -> Manifest', you can modify the idToken as follows to show group names instead of UUIDs:

Code: 
"optionalClaims": {
   "idToken": [
            {
                "additionalProperties": [
                    "cloud_displayname"
                ],
                "essential": false,
                "name": "groups",
                "source": null
            }
        ],
        // ... other claims

}

I've done this, the group is now auto-created as <ENTRAIDGROUPNAME-REALM>

NOTE: I have not tested using a group name with a space!!!
 
mmercier said:
I'm attempting to set this up now...


A restriction to be aware of on the MS side related to groups..

https://learn.microsoft.com/en-us/s...velop/configure-tokens-group-claims-app-roles

"When the user is a member of too many groups, there are no groups in the token."

It is a little more work, but according to the document,

Under the 'App registration -> Manage -> Token configuration -> Add optional claim', you should select "Groups assigned to the application (recommended for large enterprise companies to avoid exceeding the limit on the number of groups a token can emit)'

Then under the 'Enterprise Application -> Manage -> Users and groups -> Add user/group', assign the groups to the app, with your users assigned to those group..

You can also restrict access to the Proxmox interface by setting the 'Enterprise Application -> Manage -> Properties -> Assignment required?' to 'Yes'. A user not part of one the groups assigned to the Enterprise Application can't login (instead of being logged in with no permissions in the UI)

For groups, It seems that by default, the groups are sent using the UUID. Meaning in proxmox the groups will be <UUID-REALM>. You can change this on the MS side by doing the following:

Under 'App registration -> Manage -> Manifest', you can modify the idToken as follows to show group names instead of UUIDs:

Code: 
"optionalClaims": {
   "idToken": [
            {
                "additionalProperties": [
                    "cloud_displayname"
                ],
                "essential": false,
                "name": "groups",
                "source": null
            }
        ],
        // ... other claims

}

I've done this, the group is now auto-created as <ENTRAIDGROUPNAME-REALM>

NOTE: I have not tested using a group name with a space!!!
Click to expand...
Have you got the myapps portal working? I am attempting to get that working. The SSO works perfect if I manually type in the ip address and login but when I click the app under myapps.microsoft.com, I get the app failed to launch.
 
You must log in or register to reply here.
Top Bottom