Unable to SSO Login Using Azure AD Service Account in SonarCloud

SonarQube Cloud
1

Hi Team,

  • ALM used: Azure DevOps

  • CI system used: Azure DevOps

  • Issue Description: We have created a dedicated Azure AD service account (not a service principal, but a standard Azure AD user account) to log into SonarCloud. We are using SSO authentication with Azure AD for login, and authorization is handled through Azure AD security groups.

    This service account is:

    • Added to the Admin Azure AD group

    • Part of the Azure DevOps Organization with admin permissions

    • The Azure DevOps organization is already bound to SonarCloud

    However, when we try to log into SonarCloud using SSO with this service account, we receive the following error:

    “Sorry, but we couldn’t verify your authorization to access this page.”

    Interestingly, if we log into Azure DevOps directly using this same account, the login works without any issue.
    What settings or permissions are required to enable SSO authentication for a normal Azure AD service account in SonarCloud?

    Any guidance would be appreciated.

    Thanks!

2

Hi,

An account authorization is sent out. Does your service account have an email address? Can you check it?

 
Ann

4

Hi Ann,

The service account has email address but no mailbox and no office 365 license

6

Hi,

Thanks for the detail. I’ve flagged this for the folks with back-end access.

 
Ann

8

Thanks Ann.

By when I can expect the response from them?

9

Hi,

I’m sorry, I don’t have an answer for you.

 
Ann

10

Hi Ann,

How to contact with the folks from back-end access team? Can I follow up with them further?

11

Hello @akumbhar
Your issue was acknowledged and I will let you know whenever I have additional information.

12

Thanks Alexis

13

Hi Alexis

Any further update on this?

14

Hi Alexis,

It would be appreciated if you could provide any updates on this further

15

Hi @akumbhar

To troubleshoot further I will need a HAR file of your entire login flow with the service account.

If you’re not familiar with recording HAR files : Capture browser trace information  |  Cloud Customer Care  |  Google Cloud Documentation

This step is especially important : “Step 4 : Select ‘Preserve log’”

Please don’t post it in this thread, instead send it to me privately.

Alexis

16

Hi @alexis.petit I don’t have yet permission to send private messages. Please guide me further on how I could send you HAR file

17

Let’s continue in this private thread : https://community.sonarsource.com/t/re-unable-to-sso-login-using-azure-ad-service-account-in-sonarcloud/178854

18

In your HAR file, one of your requests contains the following error message :

Missing required email attribute. Verify attribute mapping or contact your admin

When looking at the account attributes, I can confirm that there’s no email attribute present.

Your next steps to fix this :

  • In Entra, add an email attribute to the service account

  • Make sure that email has a mailbox attached in order to receive the OTP

19

Thanks @alexis.petit for the reply. Is it mandatory to have mailbox attached?