Uploaded image for project: 'Confluence Data Center'
  1. Confluence Data Center
  2. CONFSERVER-99079

Microsoft Entra ID Group Filtering only filters the last group in the list.

XMLWordPrintable

      Issue Summary

      The New Microsoft Entra ID User Directory option has a setting called Group Filtering, which should allow customers to pull users that are only in the groups listed on the setting. However, it seems it's only pulling users from the last group entered in the filter.

      Steps to Reproduce

      1. Create a Microsoft Entra ID User Directory on Confluence 9.1.1 or 9.1.2.
      2. Under Group Filtering, add a group that has at least one user.
      3. Save and Synchronize the directory
      4. Edit the directory and add a second group that has users.
      5. Save and Synchronize the directory. The first group and users belonging to it will be removed, and users belonging to both groups will have only the second group checked.
      6. Check the database with the query: 
        SELECT * FROM cwd_directory_attribute;
      7. Look for the row that has the directory_id equal to the Microsoft Entra ID Directory and the attribute_name equal to AZURE_AD_FILTERED_GROUPS;
      8. The groups added first will have the /r at the end of the name, and the security log file will show that the group can't filter

      Expected Results

      Groups should not have the /r at the end of the group name.

      Actual Results

      Except for the last group added, all groups have an /r at the end of the group name in the database. Confluence doesn't understand groups with that issue and doesn't apply the filtering properly. A log message similar to the following one shown on atlassian-confluence-security.log

      2024-12-26 12:52:28,290 WARN [Caesium-1-3] [atlassian.crowd.directory.AzureAdDirectory] logNotExistingGroupNames Non existent Group(s) to filter out in Microsoft Entra ID: [EntraTestGroup2\r, EntraTestGroup3\r, EntraTestGroup4\r]

      Workaround

      • Shutdown the Confluence instance, all nodes.
      • Make a full backup of your Confluence database.
      • Determine which is the directory id of the affected directory at cwd_directory table: 
         SELECT id FROM cwd_directory WHERE directory_name='<ENTRA-ID-DIRECTORY-NAME-AT-UI>';
      • On cwd_directory_attribute, find the row that has the groups added to group filtering: 
        SELECT * FROM cwd_directory_attribute WHERE attribute_name = 'AZURE_AD_FILTERED_GROUPS' AND directory_id = <ID-FROM-STEP-1-QUERY>;
      • Check if the groups added have the /r at the end of each group name. If positive, update the row by running the following query: 
        UPDATE cwd_directory_attribute SET attribute_value = '["<correct-group-name-1>","<correct-group-name-2>",...,"<correct-group-name-n>"]' WHERE directory_id = <ID-FROM-STEP-1-QUERY> AND attribute_name = "AZURE_AD_FILTERED_GROUPS";
      • This fix needs to be applied after any change made on UI in the affected Entra ID directory.

            [CONFSERVER-99079] Microsoft Entra ID Group Filtering only filters the last group in the list.

            There are no comments yet on this issue.

              5339cdd01cf4 Jeffery Xie
              8ccca53078e5 Marcelo da Costa
              Affected customers:
              1 This affects my team
              Watchers:
              5 Start watching this issue

                Created:
                Updated: