From 08348c617f0dbd0255055a83a78c866ef95b9b0c Mon Sep 17 00:00:00 2001
From: Arthur <worldnomad@gmail.com>
Date: Thu, 17 Aug 2023 09:12:21 -0700
Subject: [PATCH] 11508 review changes - flexible config params

---
 .../authentication/microsoft-azure-ad.md      | 24 ++++++++++++++++---
 netbox/netbox/authentication.py               | 19 ++++++++-------
 2 files changed, 32 insertions(+), 11 deletions(-)

diff --git a/docs/administration/authentication/microsoft-azure-ad.md b/docs/administration/authentication/microsoft-azure-ad.md
index 28f7b7ffa..3e6b289a0 100644
--- a/docs/administration/authentication/microsoft-azure-ad.md
+++ b/docs/administration/authentication/microsoft-azure-ad.md
@@ -84,16 +84,34 @@ SOCIAL_AUTH_PIPELINE = (
 # Define special user types using groups. Exercise great caution when assigning superuser status.
 SOCIAL_AUTH_PIPELINE_CONFIG = {
     'AZUREAD_USER_FLAGS_BY_GROUP': {
-        "is_staff": ['{AZURE_GROUP_ID}',],
-        "is_superuser": ['{AZURE_GROUP_ID}',]
+        "is_staff": ['{AZURE_GROUP_ID1}','{AZURE_GROUP_ID2}'],
+        "is_superuser": ['{AZURE_GROUP_ID1}','{AZURE_GROUP_ID2}']
     },
 
     'AZUREAD_GROUP_MAP': {
-        '{AZURE_GROUP_ID}': '{NETBOX_GROUP}',
+        '{AZURE_GROUP_ID1}': '{NETBOX_GROUP1}',
+        '{AZURE_GROUP_ID2}': '{NETBOX_GROUP2}',
     }
 
 }
 ```
+
+For example, here is a config that maps a single Azure AD group (the token '1a36bed9-3bdc-4970-ab66-faf9704e0af4' shown here is the ID of the group within the Azure dashboard) to be both is_staff and is_superuser status as well as assign it to the group 'tgroup' within NetBox:
+
+```
+SOCIAL_AUTH_PIPELINE_CONFIG = {
+    # Define special user types using groups. Exercise great caution when assigning superuser status.
+    'AZUREAD_USER_FLAGS_BY_GROUP': {
+        'is_staff': ['1a36bed9-3bdc-4970-ab66-faf9704e0af4',],
+        'is_superuser': ['1a36bed9-3bdc-4970-ab66-faf9704e0af4',]
+    },
+
+    'AZUREAD_GROUP_MAP': {
+        '1a36bed9-3bdc-4970-ab66-faf9704e0af4': 'tgroup',
+    }
+}
+```
+
 **AZUREAD_USER_FLAGS_BY_GROUP.is_staff**: users who are in any of the Azure AD group-ids in the array will have staff permission assigned to them.
 
 **AZUREAD_USER_FLAGS_BY_GROUP.is_superuser**: users who are in any of the Azure AD group-ids in the array will have superuser permission assigned to them.
diff --git a/netbox/netbox/authentication.py b/netbox/netbox/authentication.py
index 7c093621f..19920d505 100644
--- a/netbox/netbox/authentication.py
+++ b/netbox/netbox/authentication.py
@@ -403,18 +403,21 @@ def azuread_map_groups(response, user, backend, *args, **kwargs):
         )
 
     config = getattr(settings, "SOCIAL_AUTH_PIPELINE_CONFIG")
-    if "AZUREAD_USER_FLAGS_BY_GROUP" not in config:
+    if "AZUREAD_USER_FLAGS_BY_GROUP" not in config and "AZUREAD_GROUP_MAP" not in config:
         raise ImproperlyConfigured(
-            "Azure AD group mapping has been configured, but AZUREAD_USER_FLAGS_BY_GROUP is not defined."
+            "Azure AD group mapping has been configured, but AZUREAD_USER_FLAGS_BY_GROUP or AZUREAD_GROUP_MAP is not defined."
         )
 
-    if "AZUREAD_GROUP_MAP" not in config:
+    flags_by_group = config.get("AZUREAD_USER_FLAGS_BY_GROUP", {'is_superuser': [], 'is_staff': []})
+    group_mapping = config.get("AZUREAD_GROUP_MAP", {})
+
+    if 'is_staff' not in flags_by_group and 'is_superuser' not in flags_by_group:
         raise ImproperlyConfigured(
-            "Azure AD group mapping has been configured, but AZUREAD_GROUP_MAP is not defined."
+            "Azure AD group mapping AZUREAD_USER_FLAGS_BY_GROUP is defined but does not contain either is_staff or is_superuser."
         )
 
-    flags_by_group = config["AZUREAD_USER_FLAGS_BY_GROUP"]
-    group_mapping = config["AZUREAD_GROUP_MAP"]
+    superuser_map = flags_by_group.get('is_superuser', [])
+    staff_map = flags_by_group.get('is_staff', [])
 
     access_token = response.get('access_token')
     headers = {
@@ -455,11 +458,11 @@ def azuread_map_groups(response, user, backend, *args, **kwargs):
         if value.get('@odata.type', None) == '#microsoft.graph.group':
             group_id = value.get('id', None)
 
-            if group_id in flags_by_group['is_superuser']:
+            if group_id in superuser_map:
                 logger.info(f"Azure AD group mapping - setting superuser status for: {user}.")
                 is_superuser = True
 
-            if group_id in flags_by_group['is_staff']:
+            if group_id in staff_map:
                 logger.info(f"Azure AD group mapping - setting staff status for: {user}.")
                 is_staff = True