Incompatibility with Entra ID national cloud for group sync

[rqi14]

Describe the bug
The Entra ID (Azure AD) source type has hardcoded Microsoft Graph API endpoints (e.g., https://graph.microsoft.com/v1.0/me). This makes it incompatible with sovereign clouds like Microsoft Cloud for China (operated by 21Vianet), which uses different endpoints (e.g., https://microsoftgraph.chinacloudapi.cn). When configured to use a 21Vianet tenant, the source fails to fetch group memberships, leading to a KeyError during the login flow because the expected raw_groups data is missing.

The cause of the issue is that the graph api endpoint as well as the domain before the scope values is hard coded (https://github.com/goauthentik/authentik/blob/c886e4ff6b644bca7167b40fe2c2062a5438fc59/authentik/sources/oauth/types/entra_id.py#L35C14-L35C58), instead of dynamically retrieved from user profile url. For example, mine is https://microsoftgraph.chinacloudapi.cn/oidc/userinfo and the graph end point is https://microsoftgraph.chinacloudapi.cn/v1.0. The corresponding memberOf api endpoint is https://microsoftgraph.chinacloudapi.cn/v1.0/me/memberOf

As said above, the domain before scopes is also harded coded such as https://graph.microsoft.com/GroupMember.Read.All which means the code won't work given the domain is different for national cloud.

To Reproduce
Steps to reproduce the behavior:

1. Create a new OAuth Source in authentik and select "Entra ID".
2. Configure the source to use a tenant hosted in Microsoft Cloud for China (21Vianet).
3. Set the OIDC discovery endpoint to the 21Vianet equivalent, for example: https://login.partner.microsoftonline.cn/{tenant-id}/v2.0/.well-known/openid-configuration.
4. Ensure the "Profile URL" is correctly set to https://microsoftgraph.chinacloudapi.cn/v1.0/me
5. Attempt to log in using this source
6. Graph API request is unsuccessful. raw_groups is empty

Expected behavior
It should be able to retrieve group infomration from /me/memberOf endpoint

Screenshots
If applicable, add screenshots to help explain your problem.

Logs
Output of docker-compose logs or kubectl logs respectively

Version and Deployment (please complete the following information):

• authentik version: 2025.6.4
• Deployment: docker compose

Additional context

[rqi14]

I did some debugging and the below code works for me, which replaces entra_id.py (in the current release it is still called azure_ad.py)

"""EntraID OAuth2 Views"""

from typing import Any
from urllib.parse import urlparse, urlunparse
from requests import RequestException
from structlog.stdlib import get_logger

from authentik.sources.oauth.clients.oauth2 import UserprofileHeaderAuthClient
from authentik.sources.oauth.models import AuthorizationCodeAuthMethod
from authentik.sources.oauth.types.oidc import OpenIDConnectOAuth2Callback
from authentik.sources.oauth.types.registry import SourceType, registry
from authentik.sources.oauth.views.redirect import OAuthRedirect

LOGGER = get_logger()

def get_graph_base_url(profile_url: str) -> str:
    """Dynamically get the graph base URL from the full profile URL."""
    parsed_url = urlparse(profile_url)
    return urlunparse((parsed_url.scheme, parsed_url.netloc, "", "", "", ""))


def get_graph_scope(profile_url: str, permission: str) -> str:
    """Dynamically build a full graph scope from the profile URL."""
    base_url = get_graph_base_url(profile_url)
    return f"{base_url}/{permission}"

class EntraIDOAuthRedirect(OAuthRedirect):
    """Entra ID OAuth2 Redirect"""

    def get_additional_parameters(self, source):  # pragma: no cover
        return {
            "scope": ["openid", get_graph_scope(source.profile_url, "User.Read")],
        }


class EntraIDClient(UserprofileHeaderAuthClient):
    """Fetch EntraID group information"""

    def get_profile_info(self, token):
        profile_data = super().get_profile_info(token)
        
        # Debug logging for scope checking
        group_read_scope = get_graph_scope(self.source.profile_url, "GroupMember.Read.All")
        LOGGER.info(
            "Group scope check",
            expected_scope=group_read_scope,
            configured_scopes=self.source.additional_scopes,
            source_name=self.source.name
        )

        # Check if group reading scope is configured
        if group_read_scope not in self.source.additional_scopes:
            # Try alternative scope names that might be configured
            alternative_scopes = [
                "GroupMember.Read.All",
                "Group.Read.All", 
                f"{get_graph_base_url(self.source.profile_url)}/Group.Read.All"
            ]
            
            scope_found = False
            for alt_scope in alternative_scopes:
                if alt_scope in self.source.additional_scopes:
                    LOGGER.info("Found alternative group scope", scope=alt_scope)
                    scope_found = True
                    break
            
            if not scope_found:
                LOGGER.warning(
                    "No group reading scope found, skipping group fetch",
                    expected_scope=group_read_scope,
                    alternative_scopes=alternative_scopes,
                    configured_scopes=self.source.additional_scopes
                )
                return profile_data

        # Build the memberOf URL
        # Extract the base Graph API URL and construct the proper v1.0 endpoint
        graph_base_url = get_graph_base_url(self.source.profile_url)
        member_of_url = f"{graph_base_url}/v1.0/me/memberOf"
        
        LOGGER.info("Fetching user groups", url=member_of_url)
        
        group_response = self.session.request(
            "get",
            member_of_url,
            headers={"Authorization": f"{token['token_type']} {token['access_token']}"},
        )
        
        LOGGER.info(
            "Group API response", 
            status_code=group_response.status_code,
            response_size=len(group_response.text) if group_response.text else 0
        )
        
        try:
            group_response.raise_for_status()
        except RequestException as exc:
            LOGGER.warning(
                "Unable to fetch user groups",
                exc=exc,
                status_code=group_response.status_code,
                response=group_response.text[:500] if group_response.text else str(exc),
            )
            return profile_data  # Return profile without groups instead of None
        
        groups_data = group_response.json()
        LOGGER.info(
            "Groups data received",
            group_count=len(groups_data.get("value", [])),
            raw_response=groups_data
        )
        
        profile_data["raw_groups"] = groups_data
        return profile_data


class EntraIDOAuthCallback(OpenIDConnectOAuth2Callback):
    """EntraID OAuth2 Callback"""

    client_class = EntraIDClient

    def get_user_id(self, info: dict[str, str]) -> str:
        # Default try to get `id` for the Graph API endpoint
        # fallback to OpenID logic in case the profile URL was changed
        return info.get("id", super().get_user_id(info))


@registry.register()
class EntraIDType(SourceType):
    """Entra ID Type definition"""

    callback_view = EntraIDOAuthCallback
    redirect_view = EntraIDOAuthRedirect
    verbose_name = "Entra ID"
    name = "azuread"

    urls_customizable = True

    authorization_url = "https://login.microsoftonline.com/common/oauth2/v2.0/authorize"
    access_token_url = "https://login.microsoftonline.com/common/oauth2/v2.0/token"  # nosec
    profile_url = "https://graph.microsoft.com/v1.0/me"
    oidc_jwks_url = "https://login.microsoftonline.com/common/discovery/keys"

    authorization_code_auth_method = AuthorizationCodeAuthMethod.POST_BODY

    def get_base_user_properties(self, info: dict[str, Any], **kwargs) -> dict[str, Any]:
        # Debug logging for user info processing
        LOGGER.info(
            "Processing user info in get_base_user_properties",
            user_principal_name=info.get("userPrincipalName"),
            has_raw_groups="raw_groups" in info,
            raw_groups_type=type(info.get("raw_groups", None)).__name__,
            raw_groups_keys=list(info.get("raw_groups", {}).keys()) if isinstance(info.get("raw_groups"), dict) else None
        )
        
        mail = info.get("mail", None) or info.get("email", None) or info.get("userPrincipalName", None) or info.get("otherMails", [None])[0]
        
        # Format group info
        groups = []
        group_id_dict = {}
        raw_groups = info.get("raw_groups", {})
        
        if raw_groups:
            LOGGER.info("Processing raw_groups", raw_groups_structure=raw_groups)
            
            # Handle the groups data structure
            groups_list = raw_groups.get("value", []) if isinstance(raw_groups, dict) else []
            
            LOGGER.info("Found groups in raw_groups", group_count=len(groups_list))
            
            for group in groups_list:
                LOGGER.debug("Processing group", group_data=group)
                
                # Check if it's a group (some objects might be other types like roles)
                odata_type = group.get("@odata.type", "")
                if odata_type != "#microsoft.graph.group":
                    LOGGER.debug("Skipping non-group object", odata_type=odata_type)
                    continue
                    
                group_id = group.get("id")
                if group_id:
                    groups.append(group_id)
                    group_id_dict[group_id] = group
                    LOGGER.debug("Added group", group_id=group_id, group_name=group.get("displayName"))
        else:
            LOGGER.warning("No raw_groups found in user info")
            
        # Update the info with processed groups
        info["raw_groups"] = group_id_dict
        
        result = {
            "username": info.get("userPrincipalName"),
            "email": mail,
            "name": info.get("displayName"),
            "groups": groups,
        }
        
        LOGGER.info("Final user properties", result=result, total_groups=len(groups))
        return result

    def get_base_group_properties(self, source, group_id, **kwargs):
        raw_group = kwargs["info"]["raw_groups"][group_id]
        return {
            "name": raw_group["displayName"],
        }