Identity Manager gets 403 when trying to query the API

We have deployed pomerium in K8s pod with azure IDP integration . Users are able to login and did not find any issues there however in pod logs I can see graph api error

What did you expect to happen? No error message from azure end

How’d it happen?

Running in K8s pod I can see

"level":"warn","service":"identity_manager","error":"no directory provider configured","time":"2025-02-24T10:55:23Z","message":"failed to refresh directory users and groups"}
{"level":"warn","service":"identity_manager","error":"no directory provider configured","time":"2025-02-24T10:55:23Z","message":"failed to refresh directory users and groups"}
{"level":"warn","service":"identity_manager","error":"no directory provider configured","time":"2025-02-24T10:55:25Z","message":"failed to refresh directory users and groups"}
{"level":"warn","service":"identity_manager","error":"no directory provider configured","time":"2025-02-24T10:55:25Z","message":"failed to refresh directory users and groups"}
{"level":"warn","service":"identity_manager","error":"no directory provider configured","time":"2025-02-24T10:55:28Z","message":"failed to refresh directory users and groups"}
{"level":"warn","service":"identity_manager","error":"no directory provider configured","time":"2025-02-24T10:55:31Z","message":"failed to refresh directory users and groups"}
{"level":"warn","service":"identity_manager","error":"azure: error making HTTP request: Get \"https://graph.microsoft.com/v1.0/groups/delta?$skiptoken=xxxxxx\": context deadline exceeded","time":"2025-02-24T10:56:34Z","message":"failed to refresh directory users and groups. You may need to increase the identity provider directory timeout setting(https://www.pomerium.com/docs/reference/identity-provider-refresh-directory-settings)"}
{"level":"warn","service":"identity_manager","error":"azure: error making HTTP request: Get \"https://graph.microsoft.com/v1.0/groups/delta?$skiptoken=xxxxx": context deadline exceeded","time":"2025-02-24T10:57:34Z","message":"failed to refresh directory users and groups. You may need to increase the identity provider directory timeout setting(https://www.pomerium.com/docs/reference/identity-provider-refresh-directory-settings)"}

What’s your environment like?

• Pomerium version (retrieve with pomerium --version): pomerium/ingress-controller:sha-c0deea9
• Server Operating System/Architecture/Cloud: k8s

What’s your config.yaml?

kind: Pomerium
metadata:
  annotations:
    meta.helm.sh/release-name: pomerium-oauth-azure
    meta.helm.sh/release-namespace: oauth
  generation: 1
  labels:
    app.kubernetes.io/managed-by: Helm
  name: pomerium-oauth-azure-azure
spec:
  authenticate:
    url: https://pomeriumnew.xxxx.com/oauth2/callback
  certificates:
  - oauth/wildcard.xxxx.com
  identityProvider:
    provider: azure
    secret: oauth/pomerium-oauth-azure-idpazure
    url: https://login.microsoftonline.com/xxxxxx/v2.0
  secrets: oauth/pomerium-oauth-azure-secretsazure

What did you see in the logs?

"level":"warn","service":"identity_manager","error":"no directory provider configured","time":"2025-02-24T10:55:23Z","message":"failed to refresh directory users and groups"}
{"level":"warn","service":"identity_manager","error":"no directory provider configured","time":"2025-02-24T10:55:23Z","message":"failed to refresh directory users and groups"}
{"level":"warn","service":"identity_manager","error":"no directory provider configured","time":"2025-02-24T10:55:25Z","message":"failed to refresh directory users and groups"}
{"level":"warn","service":"identity_manager","error":"no directory provider configured","time":"2025-02-24T10:55:25Z","message":"failed to refresh directory users and groups"}
{"level":"warn","service":"identity_manager","error":"no directory provider configured","time":"2025-02-24T10:55:28Z","message":"failed to refresh directory users and groups"}
{"level":"warn","service":"identity_manager","error":"no directory provider configured","time":"2025-02-24T10:55:31Z","message":"failed to refresh directory users and groups"}
{"level":"warn","service":"identity_manager","error":"azure: error making HTTP request: Get \"https://graph.microsoft.com/v1.0/groups/delta?$skiptoken=xxxxxx\": context deadline exceeded","time":"2025-02-24T10:56:34Z","message":"failed to refresh directory users and groups. You may need to increase the identity provider directory timeout setting(https://www.pomerium.com/docs/reference/identity-provider-refresh-directory-settings)"}
{"level":"warn","service":"identity_manager","error":"azure: error making HTTP request: Get \"https://graph.microsoft.com/v1.0/groups/delta?$skiptoken=xxxxx": context deadline exceeded","time":"2025-02-24T10:57:34Z","message":"failed to refresh directory users and groups. You may need to increase the identity provider directory timeout setting(https://www.pomerium.com/docs/reference/identity-provider-refresh-directory-settings)"}

Additional context

We use it custom chart means we pull it from public and in our organization we use it with custom changes like changing ports/scanning the image and resolving vulnerability stuff like that . I know it is an old image but still let us know if image change will help in this case and which image it will be?

This is an old version of the ingress controller. Directory support is now only available in the enterprise console.

Does the pod you’re running have internet egress access? Have you tried increasing the timeout as the error message suggests?

No did not increase it yet. Will increase and check . Also yes this have access to internet .

does this mean in community it does not support anymore ??

Directory support (groups, additional user info claims) is now only available in the enterprise console. Some IdPs support populating claims with groups data and that can be used as a workaround: Microsoft Entra ID (formerly Azure Active Directory) | Pomerium

This URL does not work for checking details about the timeout …

Yes we have done the config as same as in the documentation.

Yes sorry the URL no longer works because the option no longer exists in current versions of Pomerium. Here is a link to the old docs:

https://0-21-0.docs.pomerium.com/docs/reference/identity-provider-refresh-directory-settings