Azure AD Conditional Access Not Applying

JupyterHub Zero to JupyterHub on Kubernetes
1

We are using Azure AD to configure SSO in Jupter Hub, which is deployed in AKS. SSO is working fine and we are able to login with our Azure AD Account.

But the Conditional Access policy applied to the JupterHub AAD app registration is not getting applied. We are using conditional access policy to apply MFA for few Azure AD users.

Jupterhub chart version : jupyterhub-0.10.6
Azure kuberenets version: 1.19.7
Hub version : jupyterhub/k8s-hub: 0.10.6-n211.h2e3a73af

SSO Configuration

auth:
  admin:
    users:
      - 'user1'
      
  type: custom
  custom:
    className: "oauthenticator.azuread.AzureAdOAuthenticator"
    config:
      client_id: ""
      client_secret: ""
      oauth_callback_url: "https://xxxxxxxx.com/dslab/hub/oauth_callback"
      tenant_id: ""
2

We’re seeing the same behaviour when we have our policy set to include the JupyterHub app. Our “All Apps” policy does seem to get applied correctly…mostly. That one has an issue with Hybrid AD Joined devices.

We’ve been going back and forth with Microsoft about this for a few weeks now.

3

Hi @ikogan

We have manage to fix the issue after applying scope in authentication config as shown below and also we have upgraded the helm to version 1.2.0.

AzureAdOAuthenticator:
client_id: “”
client_secret: “”
oauth_callback_url: ‘’
tenant_id: “”
scope:
- openid
- email