https://community.cloudera.com/t5/Support-Questions/OIDC-App-Role-Configuration-in-NIFI/m-p/376718#M242989 <P><a href="https://community.cloudera.com/t5/user/viewprofilepage/user-id/107066">@sid_21m</a>&nbsp;<BR /><BR />Within NiFi, authentication and authorization are handled as separate processes.&nbsp; Upon successful authentication, NiFi has a user identity (In your case that user identity is your Azure AD username. That user identity is passed to the authorizer to make determination as to what NiFi authorization that user has been granted. At this point nothing more is known about the authenticated user other than the user identity.<BR /><BR />The Authorizer is configured in the <A href="https://nifi.apache.org/docs/nifi-docs/html/administration-guide.html#authorizers-setup" target="_self">authorizers.xml</A> NiFi configuration file. In here you have multiple choices available to you, but none of them are capable of collecting App Roles from Azure.&nbsp; You can use the <A href="https://nifi.apache.org/docs/nifi-docs/html/administration-guide.html#ldapusergroupprovider" target="_self">ldap-user-group-provider</A> to collect ldap user to group associations from Azure AD.<BR /><BR /></P><P>If you found any of the suggestions/solutions provided helped you with your issue, please take a moment to login and click "<SPAN><EM><STRONG><FONT color="#FF0000">Accept as Solution</FONT></STRONG></EM>" on one or more of them that helped.</SPAN></P><P><SPAN>Thank you,<BR />Matt</SPAN></P><P><BR /><BR /><BR /></P> Fri, 22 Sep 2023 14:33:59 GMT MattWho 2023-09-22T14:33:59Z https://community.cloudera.com/t5/Support-Questions/OIDC-App-Role-Configuration-in-NIFI/m-p/376694#M242982 <P>Hi,</P><P>I am trying to implement OIDC authentication with Azure AD in NIFI, I am able to enable it and user is able to login but now I want to use App Roles created in Azure App Registration instead of AD groups, how can I do that.&nbsp;</P> Fri, 22 Sep 2023 06:04:33 GMT https://community.cloudera.com/t5/Support-Questions/OIDC-App-Role-Configuration-in-NIFI/m-p/376694#M242982 sid_21m 2023-09-22T06:04:33Z https://community.cloudera.com/t5/Support-Questions/OIDC-App-Role-Configuration-in-NIFI/m-p/376706#M242984 <P><a href="https://community.cloudera.com/t5/user/viewprofilepage/user-id/107066">@sid_21m</a>,&nbsp;Welcome to our community! To help you get the best possible answer, I have tagged in our NiFi experts&nbsp;<a href="https://community.cloudera.com/t5/user/viewprofilepage/user-id/35454">@MattWho</a>&nbsp;<a href="https://community.cloudera.com/t5/user/viewprofilepage/user-id/103151">@cotopaul</a>&nbsp;<a href="https://community.cloudera.com/t5/user/viewprofilepage/user-id/80381">@SAMSAL</a>&nbsp; who may be able to assist you further.<BR /><BR />Please feel free to provide any additional information or details about your query, and we hope that you will find a satisfactory solution to your question.</P> Fri, 22 Sep 2023 08:46:39 GMT https://community.cloudera.com/t5/Support-Questions/OIDC-App-Role-Configuration-in-NIFI/m-p/376706#M242984 VidyaSargur 2023-09-22T08:46:39Z https://community.cloudera.com/t5/Support-Questions/OIDC-App-Role-Configuration-in-NIFI/m-p/376718#M242989 <P><a href="https://community.cloudera.com/t5/user/viewprofilepage/user-id/107066">@sid_21m</a>&nbsp;<BR /><BR />Within NiFi, authentication and authorization are handled as separate processes.&nbsp; Upon successful authentication, NiFi has a user identity (In your case that user identity is your Azure AD username. That user identity is passed to the authorizer to make determination as to what NiFi authorization that user has been granted. At this point nothing more is known about the authenticated user other than the user identity.<BR /><BR />The Authorizer is configured in the <A href="https://nifi.apache.org/docs/nifi-docs/html/administration-guide.html#authorizers-setup" target="_self">authorizers.xml</A> NiFi configuration file. In here you have multiple choices available to you, but none of them are capable of collecting App Roles from Azure.&nbsp; You can use the <A href="https://nifi.apache.org/docs/nifi-docs/html/administration-guide.html#ldapusergroupprovider" target="_self">ldap-user-group-provider</A> to collect ldap user to group associations from Azure AD.<BR /><BR /></P><P>If you found any of the suggestions/solutions provided helped you with your issue, please take a moment to login and click "<SPAN><EM><STRONG><FONT color="#FF0000">Accept as Solution</FONT></STRONG></EM>" on one or more of them that helped.</SPAN></P><P><SPAN>Thank you,<BR />Matt</SPAN></P><P><BR /><BR /><BR /></P> Fri, 22 Sep 2023 14:33:59 GMT https://community.cloudera.com/t5/Support-Questions/OIDC-App-Role-Configuration-in-NIFI/m-p/376718#M242989 MattWho 2023-09-22T14:33:59Z https://community.cloudera.com/t5/Support-Questions/OIDC-App-Role-Configuration-in-NIFI/m-p/376838#M243029 <P>Thanks&nbsp;<a href="https://community.cloudera.com/t5/user/viewprofilepage/user-id/35454">@MattWho</a>&nbsp; for clarifying this, so to use OIDC and fetch the groups I need to give User.Read.All and Group.Read.All permission, I think there should be a way to use App roles if I don't want to give these permissions. Anyways I will try to use AD groups in place of App Roles.</P><P>Thanks for your response.</P> Tue, 26 Sep 2023 11:09:02 GMT https://community.cloudera.com/t5/Support-Questions/OIDC-App-Role-Configuration-in-NIFI/m-p/376838#M243029 sid_21m 2023-09-26T11:09:02Z