SUSE Support

Here When You Need Us

Azure AD API Removal

This document (000020682) is provided subject to the disclaimer at the end of this document.

Situation

Summary of Changes

Microsoft is ending support of the existing AzureAD Graph API before 2023. Accordingly, Rancher has updated our AzureAD auth provider to use the new Microsoft Graph API to access users and groups in Active Directory.

 

Details of Old vs New

Old

  • ADAL is the authentication library we use to get access tokens to the deprecated Azure AD Graph API.

New

  • MSAL is the new authentication library we will instead use to get access tokens to the new Microsoft Graph API.

 

Actions Required of Users

  • New users of v2.6.x and v2.7.x will use the new Microsoft Graph API when they register Rancher with Azure AD. There will be no need for a transition.
  • Existing users who have Azure AD as the auth provider will see an informational notification/banner that will urge them to upgrade Rancher's auth provider before the end of 2022. Beforehand, their app in Azure will need to have the necessary permissions for Rancher to be able to work with Users and Groups in AD. To upgrade, the UI will have a button to instruct the backend to use the new authentication/authorization flow without requiring Rancher admins to reconfigure the existing auth provider.
  • AD admins must add the necessary Microsoft Graph permissions to their apps:
    • In 2.6.X, Rancher needs User.Read.All and Group.Read.All - both must be Application (not Delegated) permissions.
    • In 2.7.X, Rancher needs permissions that allow the following actions:
      • Get a user.
      • List all users.
      • List groups of which a given user is a member.
      • Get a group.
      • List all groups.
      Here are a few examples of permission combinations that satisfy Rancher's needs:
      1. Directory.Read.All
      2. User.Read.All and GroupMember.Read.All
      3. User.Read.All and Group.Read.All

 

Support Considerations or Gotchas

When you choose to upgrade the existing Azure AD auth provider configuration in Rancher, please keep in mind that all users' access tokens to the deprecated Azure AD Graph API will be deleted, since Rancher won't need them anymore because it won't be communicating with it.

Instead, Rancher will store in a secret only one access token to the new Microsoft Graph API - that of the service principal associated with the App registration in Azure AD. This token is refreshed once an hour (not in the background, but when its use triggers a refresh).

Additional migration instructions can be found at these links:

For Rancher 2.6.x

For Rancher 2.7.x

Disclaimer

This Support Knowledgebase provides a valuable tool for SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.

  • Document ID:000020682
  • Creation Date: 29-Jun-2022
  • Modified Date:27-Nov-2023
    • SUSE Rancher

< Back to Support Search

For questions or concerns with the SUSE Knowledgebase please contact: tidfeedback[at]suse.com

tick icon

SUSE Support Forums

Get your questions answered by experienced Sys Ops or interact with other SUSE community experts.

tick icon

Support Resources

Learn how to get the most from the technical support you receive with your SUSE Subscription, Premium Support, Academic Program, or Partner Program.

tick icon

Open an Incident

Open an incident with SUSE Technical Support, manage your subscriptions, download patches, or manage user access.