When a user in azure ad has more that 150 group attributes, Azure does not include the group claims in the SAML response, and Morpheus is required to query Microsoft Graph to obtain the users group attribute values. When there are users that are members of more that 150 groups, populate the Azure Group Lookups section in order for those users to be able to use the Azure AD SAML SSO integration, otherwise no groups will be obtained and proper role mappings cannot occur.
Please follow the steps below to setup Azure Group Lookups.
- Navigate to Microsoft Entra ID / Azure AD.
- Select App registrations.
- Select New registration.
- Specify any app name and click Register.
- Click on Overview and make note of the App ID and Tenant ID.
- Click on Certificates & secrets and create a new secret.
-
Specify the description and expiration and make note of the secret value.
-
Click on API permissions and remove all existing permissions for the Graph API.
- Add a permission and select Microsoft Graph.
- Select Application permissions.
- Select ‘User.Read.All’ permission and click Add permissions.
- Click on Grant admin consent for…
- In Morpheus application, edit the Azure AD SAML SSO identity source settings, and fill in the Group Lookups section with the Tenant ID, App ID, and App Secret from steps 5 and 6.
