Hi everyone, I'm trying to ingest azure org data for a specific group into my catalog. I haven't been able to successfully authenticate. Here is a snippet of my app-config.yaml. I'm using one of the built in resolvers and I'm getting the following error after signing in with the oauth flow Login failed; caused by Error: Failed to sign-in, unable to resolve user identity I've also enabled the app permissions GroupMember.Read.All & User.Read.All which have been granted admin consent. Anyone have any guidance on what I may be doing wrong? I've tested the graph queries in postman and everything seems to be correct.

//app-config.yaml
...

auth:
  environment: development
  providers:
    microsoft:
      development:
        clientId: REDACTED
        clientSecret: REDACTED
        tenantId: REDACTED
        domainHint: REDACTED
        # additionalScopes:
        #   - Mail.Send
        signIn:
          resolvers:
            # typically you would pick one of these
              - resolver: emailMatchingUserEntityProfileEmail
            # - resolver: emailLocalPartMatchingUserEntityName
            # - resolver: emailMatchingUserEntityAnnotation
    guest: {}

catalog:
  providers:
    microsoftGraphOrg:
      providerId:
        target: https://graph.microsoft.com/v1.0
        authority: https://login.microsoftonline.com
        tenantId: REDACTED
        clientId: REDACTED
        clientSecret: REDACTED
        queryMode: advanced # basic | advanced
        user:
          #expand: manager
          loadPhotos: false
          select: ['id', 'displayName', 'mail']
        # userGroupMember:
        group:
          filter: id eq '<group-id>'
        schedule: 
          frequency: PT1H
          timeout: PT3M

i;m getting same issue lol.

@plucky notch https://github.com/backstage/backstage/issues/24572 Found this issue helpful, but believe I'm still missing something.

do still get the same issue if the catalog piece is commented out like so:

catalog:

providers:

microsoftGraphOrg:

default:

clientId: REDACTED

clientSecret: REDACTED

tenantId: REDACTED

user:

filter: accountEnabled eq true and userType eq 'member'

group:

filter: >

displayName eq 'REDACTED'

schedule:

frequency: PT1H

timeout: PT50M

retry: PT5M

@plucky notch I was able to figure it out.

The following line was loading all users from my AAD tenant:

user:
  loadPhotos: false
  select: ['id', 'displayName', 'mail']
group:
  filter: id eq '<group-id>'

By replacing the user line with the userGroupMember I was able to load in only the handful of users in our AAD group.

userGroupMember:
  filter: id eq '<group-id>'
group:
  filter: id eq '<group-id>'

I see nice

Hi @subtle light, just wanted to follow up on this. We do have userGroupMember examples in the docs: https://backstage.io/docs/integrations/azure/org#users. Was that not helpful for you?

@nova valve I think the documentation here is good. I was having trouble with the auth and wasnt sure if users were being loaded in. I switched to guest auth and after confirming they were being ingested, the docs were helpful in filtering down to group members.

Thanks for the feedback!

I have sort of an extension of this question, and I can start a new thread if appropriate,
My question is related around using the plugin-catalog-backend-module-msgraph as a dynamic plugin within the red hat dev hub flavor of backstage. I have imported the plugin and have tested it successfully to import user and group objects.

But now I'd like to expand the import to include some additional logic and metadata, such as one would normally accomplish by building their own custom transformers in backstage.

I don't see a currently exposed way through the plug-in to inject a user or group transformer as a input Param, and I'm curious if the best way would be - to copy of the default transformer.ts file from the plugin, and then modify it with my updated transformer logic and then store the modified file as a configmap, mounting it to the container to overwrite the file included during container startup?

Is there any general guidance if this is the easiest solution or if there might be a better way to transform user and group data while importing from MSgraph / Azure? I prefer not to fork and deploy my own modified version of the plugin if possible just to allow my particular use case through the dynamic plugins infrastructure.

Thanks in advance!

Hi @pallid lake, sorry, I'm very confused, isn't that what this provides? https://backstage.io/docs/integrations/azure/org/#using-custom-transformers

Correct, after reading this document I think my solution of mounting a file to overwrite maybe my best bet.

Unlike a vanilla backstage installation, Red hat developer hub is designed to be completely extended through the use of dynamic plugins without modifying the upstream backstage source code.

Since the MS graph plug-in doesn't allow native configuration of transformers through the app-config dynamically, (or even let you point to a custom transformation file) - so I think overriding the file at startup might be the easiest way to extend the existing file through this infrastructure

Alright, I'd say then reaching out to Red Hat is probably going to be a better starting point for questions like this.

Understood, I was hoping someone here may have had some experience especially since the Red hat backed Janus plugins are soon being migrated into the community repository as well as the RFC proposed here for dynamic plugins
https://github.com/backstage/backstage/issues/18390

Unfortunately the Janus team only has a single slack channel, and red hat support has cost involvements. There's a lot more involvement and community support in this discord 🙂

I'll test when I can and report back if successful 👍