Feature: Allow login only for specific Entra group

[valluwtf]

Is there an existing request for this feature?

• I have searched the existing issues and found none that matched mine

Describe the feature

It would be great if one could allow multiple users to authenticate on multiple servers with different access rights through group membership, but all in one Entra ID Application by adding the users to groups in Entra which authd then allows.

Describe the ideal solution

I edit the broker config file with allowed groups on each host

allowed_group: <HOSTNAME1>

and on login, authd validates with the token if the user is part of that group and then allows or declines login.

Alternatives and current workarounds

Currently I would say the only workaround for granting dedicated access is to have a single Entra Application for each host, which would work but is not really ideal if you have more than a handful of hosts....

System information and logs

Environment

• broker version: please run snap info authd-msentraid
• authd version: please run /usr/libexec/authd version
• gnome shell version: please run apt policy gnome-shell
• Distribution: (NAME in /etc/os-release)
• Distribution version: (VERSION_ID on /etc/os-release):

Log files

Please redact/remove sensitive information:

Authd entries:

journalctl -u authd.service

MS Entra ID broker entries:

journalctl -u snap.authd-msentraid.authd-msentraid.service

Application settings

Please redact/remove sensitive information:

Broker configuration:

cat /var/snap/authd-msentraid/current/broker.conf

Broker authd configuration:

cat /etc/authd/brokers.d/msentraid.conf

Relevant information

No response

Double check your logs

• I have redacted any sensitive information from the logs

[valluwtf]

Well.. I just added AllowGroups setting in sshd.config and that fixes this easily so this feature is not really necessary for us anymore since we only use ssh login.