Security

Hi everyone,

I'm working on a ClearPass implementation and configuring wireless authentication using Microsoft Entra ID for authorization, specifically to retrieve user group information.

The Entra ID integration is set up successfully, and authentication requests are going through. However, ClearPass is unable to fetch group details, which is preventing group-based authorization from working.

Behavior observed:

• The client authenticates successfully using EndpointDB

• After authentication, ClearPass attempts to retrieve user group information from Entra ID

• Group information is not returned, and the following error is logged:

[HttpModule-ThreadPool-125-0x7f149fdfe700 r=R00000551-01-6960cc6d h=539]
ERROR Http.HttpAutzSession - Failed to get value for attributes=
AccountEnabled, Email, Groups, UserPrincipalName

What I've already checked:

• Entra ID application permissions are configured

• Granted permissions include:

  • Group.Read.All

  • GroupMember.Read.All

  • Directory.Read.All

• Admin consent has been provided in the Intune/Entra console

Despite this, ClearPass is still unable to retrieve group attributes.

Has anyone encountered a similar issue, or is there something I might be missing (additional permissions, ClearPass configuration, API scope requirements, etc.)?

Thanks in advance for your help.

yes i failed similar issue and i also posted the resolution. It will work for you. i did a fresh install again and did the same steps and got the attributes. I am sure you will also

https://airheads.hpe.com/discussion/cannot-get-authorization-attributes-from-entra-id-cppm-6120

[HttpModule-ThreadPool-125-0x7f149fdfe700 r=R00000551-01-6960cc6d h=539]ERROR Http.HttpAutzSession - Failed to get value for attributes=AccountEnabled, Email, Groups, UserPrincipalName