External users with Azure AD


We are moving from SAML to Azure AD for authentication. With SAML, we use the “external_groups” attribute to make certain users “external” so they have limited capability in gitlab.

Can we do this with Azure AD? We have the Azure app set up to send the required attribute over, but using “groups_attribute” and “external_groups” in gitlab.rb does not seem to work – everyone can log in as a standard user.

We’re using azure_activedirectory_v2 as our IdP here. Would switching to openid-connect give us this capability? Do we have to go back to SAML?

Thanks for any guidance!