11508 remove is_active, add documentation use azuread

docs/administration/authentication/microsoft-azure-ad.md

@@ -61,6 +61,43 @@ Restart the NetBox services so that the new configuration takes effect. This is
 sudo systemctl restart netbox
 ```
 
+## Group Assignment
+
+If you want NetBox to assign groups based on Azure AD groups, then some additonal configuration is needed. Enter the following configuration parameters in `configuration.py`, substituting your own values:
+
+```python
+SOCIAL_AUTH_AZUREAD_OAUTH2_RESOURCE = 'https://graph.microsoft.com/'
+SOCIAL_AUTH_PIPELINE = (
+    'social_core.pipeline.social_auth.social_details',
+    'social_core.pipeline.social_auth.social_uid',
+    'social_core.pipeline.social_auth.social_user',
+    'social_core.pipeline.user.get_username',
+    'social_core.pipeline.social_auth.associate_by_email',
+    'social_core.pipeline.user.create_user',
+    'social_core.pipeline.social_auth.associate_user',
+    'netbox.authentication.user_default_groups_handler',
+    'social_core.pipeline.social_auth.load_extra_data',
+    'social_core.pipeline.user.user_details',
+    'netbox.authentication.azuread_map_groups',
+)
+SOCIAL_AUTH_AZUREAD_MAP_GROUP_PERMS = True
+
+# Define special user types using groups. Exercise great caution when assigning superuser status.
+SOCIAL_AUTH_AZUREAD_USER_FLAGS_BY_GROUP = {
+    "is_staff": ['{AZURE_GROUP_ID}',],
+    "is_superuser": ['{AZURE_GROUP_ID}',]
+}
+
+SOCIAL_AUTH_AZUREAD_GROUP_MAP = {
+    '{AZURE_GROUP_ID}': '{NETBOX_GROUP}',
+}
+```
+**SOCIAL_AUTH_AZUREAD_USER_FLAGS_BY_GROUP.is_staff**: users who are in any of the Azure AD group-ids in the array will have staff permission assigned to them.
+
+**SOCIAL_AUTH_AZUREAD_USER_FLAGS_BY_GROUP.is_superuser**: users who are in any of the Azure AD group-ids in the array will have superuser permission assigned to them.
+
+**SOCIAL_AUTH_AZUREAD_GROUP_MAP**: Any user with the given Azure AD group-id is included in the given NetBox group name.
+
 ## Testing
 
 Log out of NetBox if already authenticated, and click the "Log In" button at top right. You should see the normal login form as well as an option to authenticate using Azure AD. Click that link.

netbox/netbox/authentication.py

@@ -393,7 +393,7 @@ class AuthFailed(Exception):
     pass
 
 
-def azure_map_groups(response, user, backend, *args, **kwargs):
+def azuread_map_groups(response, user, backend, *args, **kwargs):
     '''
     Map Azure AD group ID to Netbox group
     Also set is_superuser or is_staff based on config map
@@ -413,8 +413,6 @@ def azure_map_groups(response, user, backend, *args, **kwargs):
             "Azure group mapping has been configured, but SOCIAL_AUTH_AZUREAD_GROUP_MAP is not defined."
         )
 
-    all_users_active = getattr(settings, "SOCIAL_AUTH_AZUREAD_USER_DEFAULT_ACTIVE", False)
-
     url = 'https://graph.microsoft.com/v1.0/me'
 
     access_token = response.get('access_token')
@@ -443,10 +441,6 @@ def azure_map_groups(response, user, backend, *args, **kwargs):
         # AD response contains both directories and groups - we only want groups
         if value.get('@odata.type') == '#microsoft.graph.group':
             group_id = value.get('id', None)
-            if all_users_active:
-                is_active = True
-            else:
-                is_active = group_id in flags_by_group['is_active']
 
             if group_id in flags_by_group['is_superuser']:
                 is_superuser = True
@@ -463,5 +457,4 @@ def azure_map_groups(response, user, backend, *args, **kwargs):
 
     user.is_superuser = is_superuser
     user.is_staff = is_staff
-    user.is_active = is_active
     user.save()