Hi badalk,

1. The latest AD plugin should use the AD UPN for Jenkins user id. Make sure you upgrade the AD plugin and azure-commons plugin at the same time. But this version has some problems with Jenkins API now. You need to add a new role "username (UPN)" in the matrix to make it work around.
2. The group feature seems not work now. I will investigate it.

Hi jieshe, even with adding specific user and granting overall read permissions, when i keep the user id as Azure AD user id (i.e. email address) I am not able to invoke the API. It gives me 403 forbidden - Access Denied error indicating <user> is missing the Overall/Read permission.

Alternatively, When invoking the API with object id as the user id i get 500 Server error as indicated below

java.lang.IllegalStateException: Unexpected authentication type: org.acegisecurity.providers.UsernamePasswordAuthenticationToken@95ed46cf: Username: <objectID>; Password: [PROTECTED]; Authenticated: false; Details: org.acegisecurity.ui.WebAuthenticationDetails@7798: RemoteIpAddress: 193.17.108.1; SessionId: null; Not granted any authorities

Can you confirm it works for individual user at least? (not the group) and if I am missing anything? 

Note: I am using Azure Active Directory Matrix-based security

This was working with Object ID as the user ID before I upgraded Azure AD plug-in but as per your suggestion when I updated the plugin and restarted the jenkins service (and even the VM), its not working either ways

Interestingly, after further investigation the reason why it works is because anonymous user is granted an admin permission earlier. I realized this after removing Azure AD configuration from manage global security and re-configured everything from scratch. By default anonymous user is granted an admin permission, the moment I remove it, even of individual user the remote API call (despite of having overall read permissions), gives forbidden error. For sake of trying I turned on overall read permissions for Anonymous (not admin) and it started working again.. so granting permissions for individual users does not have any impact, you need to grant permissions to anonymous users to have overall read permissions. I think its a bug !!

Hi badalk,

Yes, there are some problems here. And I have created an issue on Github to entirely fix this. For now, there is a temporarily solution for you to work around here.

In the Azure Active Directory Matrix-based security section, you need to have two users in the matrix to make it work for accessing Jenkins API. The auto-completion will provide you a user name like 'username (object id)'. Besides this, you need to add a user name like 'username (user ID)' and give it the reading permission. By that, the API things should work.

Hi jieshe,

I am trying to access the Jenkins RESTApi from a command shell; and I adjusted the Jenkins Server to use Azure AD as the Security Realm.

But I can't start a build job on Jenkins Server by using a command shell command such as curl or Invoke-RestMethod on PoSh. Do you have a suggestion on this?

jieshe - thank you for posting the workaround using the two users in the matrix.  This allows Jenkins Job Builder to authenticate and create/update jenkins jobs with our jenkins master using the Azure AD plugin.

jieshe 

I am facing issue while accessing API. I have followed your comment on 'username (object id)' and 'username (user ID)'. But it didn't work for me.

Can you please give one example how to add these 2 user. I can understand, this one "username (object id)" is based on autocomplete but what about 'username (user ID)', what will be user ID here.

On which user, i should create API token

I am making GET API call to following URL on my server (Note i have jenkins prefix to access my jenkins instance)

https://<domainName>/<prefix-jenkins>/api/json

Now working !!

I am able to fix this by adding my email id as user and assigning view permission. In the API call, i am using my email ID as username and Token as Password