Getting Unauthorized access error 401 using openid with idp as azure

Versions (relevant - OpenSearch/Dashboard/Server OS/Browser):

opensearch: 2.7.0

Describe the issue:
I have configure and applied all the below config files but still getting unauthorized access even though I have mapped user with the backend role available in opensearch

Configuration:
opensearch_dashboard.yml

server:
  name: dashboards
  host: 0.0.0.0

  # Dashboards TLS Config (Ensure the cert files are present before enabling SSL
  ssl:
    enabled: false
    # key: /usr/share/opensearch-dashboards/certs/dashboards-key.pem
    # certificate: /usr/share/opensearch-dashboards/certs/dashboards-crt.pem

  # determines how dashboards will verify certificates (needs to be none for default opensearch certificates to work)
opensearch:
  ssl:
    verificationMode: certificate
    certificateAuthorities: /usr/share/opensearch-dashboards/config/root-ca.pem
  requestHeadersAllowlist:
    - Authorization
    - securitytenant
opensearch_security:
  multitenancy:
    enabled: true
    tenants:
      preferred:
        - Private
        - Global
  cookie:
    secure: false
  auth:
    multiple_auth_enabled: true
    type:
      - openid
      - basicauth
  openid:
    connect_url: "https://login.microsoftonline.com/<tenant ID>/v2.0/.well-known/openid-configuration"
    client_id: "<Client Id>"
    client_secret: "<client Secret>"
    base_redirect_url: "http://localhost:5601"
logging: 
    verbose: true

opensearch.yml

_meta:
  type: "config"
  config_version: 2
config:
  dynamic:
    http:
      anonymous_auth_enabled: false
      xff:
        enabled: false
        internalProxies: "192\\.168\\.0\\.10|192\\.168\\.0\\.11"
        remoteIpHeader: "x-forwarded-for"
    authc:
      basic_internal_auth_domain:
        description: "Authenticate via HTTP Basic against internal users database"
        http_enabled: true
        transport_enabled: true
        order: 1
        http_authenticator:
          type: "basic"
          challenge: false
        authentication_backend:
          type: "internal"
      openid_auth_domain:
        http_enabled: true
        transport_enabled: true
        order: 0
        http_authenticator:
          type: "openid"
          challenge: false
          config:
            openid_connect_idp:
              enable_ssl: true
              verify_hostnames: false
              subject_key: "email"
              roles_key: "roles"
            openid_connect_url: "https://login.microsoftonline.com/<tenantID>/v2.0/.well-known/openid-configuration"
        authentication_backend:
          type: "noop"

Relevant Logs or Screenshots:

image1890×418 40.4 KB

APP Roles to map backend role admin

image1326×442 30.8 KB

No relevant logs

Can someone help with this!!
Tagging you as found most active one @pablo @wbeckler @Gsmitt

I have used https://opensearch.org/docs/latest/troubleshoot/openid-connect/ and found that subject_key email was not present in token so replaced it with preferred_username!!

Logs that I got for above issue

image2528×108 19.1 KB

Hey @mouryasatyam

What type of installation is this?

@Gsmitt I used Helm to install opensearch and opensearch dashboard into k8s cluster and then changed the config for opensearch and applied using securityadmin script…
But the issue is resolved for me thankyou!!

@mouryasatyam Did you assign the App role to the Azure user in the Enterprise Applications in Azure?

yeah I had assigned the role problem, the problem was related to the field exposed by token I was expecting something but it was not there in it. Increased the log level helped in find out this