I’ve successfully integrated GitLab with the Azure Oauth2, however, conditional access policies on the Azure portal are not applying, the consequence is that I’m not being prompted for MFA.
I’ve been in touch with Microsoft support and after escalating the call with their dev department, they asked me to contact Gitlab for help.
Apparently the Gitlab application is not sending an interactive sign-in request, something needed for the conditional access policies to apply.
Looking around I found that similar problems have been raised (https://gitlab.com/gitlab-org/gitlab/-/issues/214390), but it is not clear if a resolution is available.
This is a self-managed server and the current version is gitlab-ee-12.4.2-ee.0.el6.x86_64. I also tried to update to the last version available on a test environment, but the problem still exists.
We had the exact same issue and the linked you’ve mentionned helped me a lot to understand what was happening.
Looking further, I found that the documentation has been updated and that in order to have a fully integrated Azure AD connection (with conditionnal access), you need to use the new provider azure_activedirectory_v2.
This involves changes to the redirect URI and API permission of your Azure Cloud App and you need to change to provider name in the gitlab.rb. All these steps are explained in the documentation : Microsoft Azure OAuth2 OmniAuth Provider | GitLab
This will create a new social sign-in called Azure AD v2 :
Users have link their account to this new provider (in their account setting → Social sign-in) so you can’t just replace the old provider with the new one. Otherwise, users won’t be able to use Azure AD login.