is it possible to add a second domain for Active Director in external authentication y? The search base is in the format dc=XYZ dc=local but we cannot add a second domain in here.

As far as I know, users normally reside under a single tree . Can you please help me understand why multiple search bases are necessary here?

Alternative: Is it possible to have an Azure AD implementation for external authentication?

Currently AD implementation should be able to be configured to work with Azure AD. Or does Azure AD have some special things?

Multiple search bases are needed in our case, because we have at the moment two trusted domains, which can not be merged into one domain. Users from both domains should access OneDev.

We will try with Azure AD and come back with the results to you! Thank you for your support!

Hi, i am working with Daniel on this topic.

The integration using EntraID (formerly Azure AD) was partially successful. Without the "Groups Claim" option, the login works. If "groups" is entered in "Groups Claim", the following error message appears:

code: invalid_client, description: AADSTS650053: The application '' asked for scope 'groups' that doesn't exist on the resource '00000003-0000-0000-c000-000000000000'. Contact the app vendor. Trace ID: Correlation ID: Timestamp: , http status code: 302

The EntraID settings were taken from another service, where the login and group assignment via "groups" works . Is there a way to see the connection and authentication requests in the server log?

Best regards

@robin Have you an update on the above error with EntraID or a hint how to proceed further?

Thank you so much!

@danolv I am investing this issues and will release a patch version for the fix.

Please upgrade to build #4687 and define sso provider of type Microsoft Entra ID. It has an option to retrieve groups.

LDAP authenticator of this release also improved to accept multiple user search bases.