add documentation for MS Graph plugin #130703
Open
+188
−3
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
richard-dennehy
added
>docs
|
🔍 Preview links for changed docs:
🔔 The preview site may take up to 3 minutes to finish building. These links will become live once it completes. |
richard-dennehy
force-pushed
the
ms-graph-docs
branch
from
8836670 to
e884907
Compare
richard-dennehy
force-pushed
the
ms-graph-docs
branch
from
e884907 to
1a01d28
Compare
richard-dennehy
force-pushed
the
ms-graph-docs
branch
from
88a84df to
81cf4ca
Compare
richard-dennehy
force-pushed
the
ms-graph-docs
branch
from
81cf4ca to
a8599c7
Compare
richard-dennehy
force-pushed
the
ms-graph-docs
branch
from
a8599c7 to
c26b3c1
Compare
richard-dennehy
force-pushed
the
ms-graph-docs
branch
from
c26b3c1 to
425099e
Compare
|
Pinging @elastic/es-docs (Team:Docs) |
|
Pinging @elastic/es-security (Team:Security) |
richard-dennehy
commented
Jul 8, 2025
|
|
||
| The plugin must be installed on every node in the cluster, and each node must be restarted after installation. | ||
|
|
||
| You can download this plugin for [offline install](/reference/elasticsearch-plugins/plugin-management-custom-url.md) from [https://artifacts.elastic.co/downloads/elasticsearch-plugins/microsoft-graph-authz/microsoft-graph-authz-{{version}}.zip](https://artifacts.elastic.co/downloads/elasticsearch-plugins/microsoft-graph-authz/microsoft-graph-authz-{{version}}.zip). To verify the `.zip` file, use the [SHA hash](https://artifacts.elastic.co/downloads/elasticsearch-plugins/microsoft-graph-authz/microsoft-graph-authz-{{version}}.zip.sha512) or [ASC key](https://artifacts.elastic.co/downloads/elasticsearch-plugins/microsoft-graph-authz/microsoft-graph-authz-{{version}}.zip.asc). |
There was a problem hiding this comment.
it's difficult for me to verify this link as I don't think we've published any artifacts yet 🤔
richard-dennehy
force-pushed
the
ms-graph-docs
branch
from
88b47fd to
243e5a1
Compare
shainaraskas
reviewed
Jul 8, 2025
| @@ -0,0 +1,13 @@ | |||
| --- | |||
| mapped_pages: | |||
| - https://www.elastic.co/guide/en/elasticsearch/plugins/current/authentication.html | |||
There was a problem hiding this comment.
if these plugins are only available as of 9.1, we should state that. this docs set is only applicable to a 9+ context which is why we wouldn't have 8.19 listed as well
Suggested change
| - https://www.elastic.co/guide/en/elasticsearch/plugins/current/authentication.html | |
| - https://www.elastic.co/guide/en/elasticsearch/plugins/current/authentication.html | |
| applies_to: | |
| stack: ga 9.1 |
| @@ -0,0 +1,35 @@ | |||
| --- | |||
| mapped_pages: | |||
| - https://www.elastic.co/guide/en/elasticsearch/plugins/current/ms-graph-authz.html | |||
There was a problem hiding this comment.
Suggested change
| - https://www.elastic.co/guide/en/elasticsearch/plugins/current/ms-graph-authz.html | |
| - https://www.elastic.co/guide/en/elasticsearch/plugins/current/ms-graph-authz.html | |
| applies_to: | |
| stack: ga 9.1 |
Comment on lines
+14
to
+18
| This plugin can be installed using the plugin manager: | ||
|
|
||
| ```sh | ||
| sudo bin/elasticsearch-plugin install microsoft-graph-authz | ||
| ``` |
There was a problem hiding this comment.
does this plugin work for all deployment types, or just self-managed vanilla elasticsearch?
There was a problem hiding this comment.
I've been testing with Elastic Cloud, but it should work with any other deployment type
|
|
||
| # Authentication Plugins [authentication] | ||
|
|
||
| Authentication plugins extend the functionality provided by the built-in [authentication realms](docs-content://deploy-manage/users-roles/cluster-or-deployment-auth/authentication-realms.md) |
There was a problem hiding this comment.
Suggested change
| Authentication plugins extend the functionality provided by the built-in [authentication realms](docs-content://deploy-manage/users-roles/cluster-or-deployment-auth/authentication-realms.md) | |
| Authentication plugins extend the functionality provided by the built-in [authentication realms](docs-content://deploy-manage/users-roles/cluster-or-deployment-auth/authentication-realms.md). |
|
|
||
| ## Create a custom Azure Application | ||
|
|
||
| 1) Log in to the [Azure portal](https://portal.azure.com) and go to Microsoft Entra ID |
There was a problem hiding this comment.
Suggested change
| 1) Log in to the [Azure portal](https://portal.azure.com) and go to Microsoft Entra ID | |
| 1) Log in to the [Azure portal](https://portal.azure.com) and go to Microsoft Entra ID. |
| ::: | ||
| 4) Under Manage > Certificates & secrets | ||
| - Create a new client secret | ||
| - Take note of the Value - this is needed later, and is only shown once |
There was a problem hiding this comment.
Suggested change
| - Take note of the Value - this is needed later, and is only shown once | |
| - Take note of you new client secret's **Value**. This is needed later, and is only displayed once. |
| :alt: get your application ID | ||
| ::: | ||
| 4) Under Manage > Certificates & secrets | ||
| - Create a new client secret |
There was a problem hiding this comment.
Suggested change
| - Create a new client secret | |
| - Create a new client secret. |
Comment on lines
39
to
47
| 5) Under Manage > API permissions | ||
| - Go to “Add a permission” | ||
| - Choose “Microsoft Graph” | ||
| - Choose “Application permissions” | ||
| - Select “Directory.ReadWrite.All, Group.ReadWrite.All, User.Read.All” | ||
| - Note that an Azure Admin will need to approve these permissions before the credentials can be used | ||
| :::{image} ./images/ms-graph-authz/05-configure-api-permissions.png | ||
| :alt: configure api permissions | ||
| ::: |
There was a problem hiding this comment.
ordered procedures of more than two items need a numbered list
Suggested change
| 5) Under Manage > API permissions | |
| - Go to “Add a permission” | |
| - Choose “Microsoft Graph” | |
| - Choose “Application permissions” | |
| - Select “Directory.ReadWrite.All, Group.ReadWrite.All, User.Read.All” | |
| - Note that an Azure Admin will need to approve these permissions before the credentials can be used | |
| :::{image} ./images/ms-graph-authz/05-configure-api-permissions.png | |
| :alt: configure api permissions | |
| ::: | |
| 5) Under **Manage** > **API permissions**, do the following: | |
| 1. Go to **Add a permission**. | |
| 2. Choose **Microsoft Graph**. | |
| 3. Choose **Application permissions**. | |
| 4. Select the following permissions: `Directory.ReadWrite.All`, `Group.ReadWrite.All`, and `User.Read.All`. | |
| Note that an Azure Admin will need to approve these permissions before the credentials can be used | |
| :::{image} ./images/ms-graph-authz/05-configure-api-permissions.png | |
| :alt: configure API permissions | |
| ::: |
|
|
||
| # Configuration properties [configuration-properties] | ||
|
|
||
| Once the plugin is installed, the following configuration settings are available: |
There was a problem hiding this comment.
Suggested change
| Once the plugin is installed, the following configuration settings are available: | |
| After the plugin is installed, the following configuration settings are available: |
|
|
||
| Create a Microsoft Graph realm, following the above settings, then configure an existing realm to delegate to it using `authorization_realms`. | ||
|
|
||
| For example, to authenticate via Microsoft Entra with SAML and use the Microsoft Graph plugin to look up group membership: |
There was a problem hiding this comment.
Suggested change
| For example, to authenticate via Microsoft Entra with SAML and use the Microsoft Graph plugin to look up group membership: | |
| For example, the following configuration authenticates using Microsoft Entra with SAML, and uses the Microsoft Graph plugin to look up group membership: |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Add documentation for the plugin introduced in #128396
This will need a manual backport to 8.19