[entraid] add field to support system credentials instead of OIDC

This PR introduces two new fields for Entra Plugins' settings:

- `tenant_id`: Is the Directory to sync
- `use_system_credentials`: defaults to system credentials instead of using OIDC to authenticate to Entra ID

Both these fields are required for clusters whose access is private and can't be reached from the internet. For those cases, Azure can't validate the OIDC token Teleport shares.

Signed-off-by: Tiago Silva <[email protected]>

api/proto/teleport/legacy/types/types.proto

@@ -6451,8 +6451,15 @@ message PluginEntraIDSyncSettings {
   // DefaultOwners are the default owners for all imported access lists.
   repeated string default_owners = 1;
 
-  // SSOConnectorID is the name of the Teleport SSO connector created and used by the Entra ID plugin
+  // SSOConnectorID is the name of the Teleport SSO connector created and used by the Entra ID plugin.
   string sso_connector_id = 2;
+
+  // use_system_credentials uses the system available credentials instead of using the OIDC flow to authenticate
+  // to Azure EntraId. This is important for clusters that are not available through internet.
+  bool use_system_credentials = 3;
+
+  // tenant_id is the Azure Directory this plugin syncs.
+  string tenant_id = 4;
 }
 
 // AccessGraphSettings controls settings for syncing access graph specific data.

api/types/plugin_test.go

@@ -899,6 +899,13 @@ func TestPluginEntraIDValidation(t *testing.T) {
 			},
 			assertErr: requireNamedBadParameterError("sync_settings.sso_connector_id"),
 		},
+		{
+			name: "use system credentials",
+			mutateSettings: func(s *PluginSpecV1_EntraId) {
+				s.EntraId.SyncSettings.UseSystemCredentials = true
+			},
+			assertErr: require.NoError,
+		},
 	}
 
 	for _, tc := range testCases {