Important: This plug-in is maintained by the Jenkins community and won’t be supported by Microsoft as of February 29, 2024.
A Jenkins Plugin that supports authentication & authorization via Microsoft Entra ID (previously known as Azure Active Directory).
Open Microsoft Entra ID
, click App registrations
Click New registration
Add a new Reply URL https://{your_jenkins_host}/securityRealm/finishLogin
. Make sure "Jenkins URL" (Manage Jenkins => Configure System) is set to the same value as https://{your_jenkins_host}
.
Click Certificates & secrets
To use a client secret: Under Client secrets, click New client secret
to generate a new key. Copy the value
, it will be used as Client Secret
in Jenkins.
To use a certificate: Under Certificates, click Upload certificate
to upload your certificate. This certificate will be used for client certificate authentication in Jenkins. You will need to use the corresponding private key associated with this certificate in PEM format.
Click Authentication
, under 'Implicit grant and hybrid flows', enable ID tokens
.
(optional) To enable Microsoft Entra ID group support: Click Manifest
and modify the "groupMembershipClaims": null
value to "groupMembershipClaims": "SecurityGroup"
, then 'Save' it.
In order for Jenkins to be able to lookup data from Microsoft Entra ID it needs some Graph API permissions.
This is used for:
Note: You can skip this part and just use the claims returned when authenticating.
Click API permissions
Add a permission
Microsoft Graph
Application permissions
Add 'User.Read.All', 'Group.Read.All' and 'People.Read.All'
Click Grant admin consent
. If you are not an admin in your tenant, please contact an admin to grant the permissions.
Click Manage Jenkins
in the left menu, then click Security
Check Azure Active Directory
and fill in the credential.
Click Verify Application
to make sure your input is valid.
Save the configuration, (logged-in users will have permission to do anything)
Log in with Microsoft Entra ID
Return to 'Security' to configure authorization
Note: if you haven't setup Graph API permissions, verify application will fail, skip over this step
Jenkins will match permissions based on the Object ID of a user or group.
This plugin extends the traditional Matrix Authorization Strategy with the ability to search by users / groups by display name when configuring the authorization rules.
To use this feature:
Azure Active Directory Matrix-based security
You can still use other authorization strategies such as:
The following can normally be used:
preferred_username
claim which is normally the 'User principal name', but not always.The plugin has full support for use in Configuration as Code and Job DSL.
For an example combining the two, see the configuration-as-code.yml test resource.
A: You can disable the security from the config file (see https://www.jenkins.io/doc/book/security/access-control/disable/)
A: It can take a long time for the privileges to take effect, which could be 10-20 minutes. Just wait for a while and try again.