Prevent AD users from logging in

I am using Jenkins 2.426.2 war on a Windows server in a domain. I have Active Directory v2.34 and Matrix Authorization 3.2.1 installed. I have Jenkins connected to the domain and I am able to add AD users/groups to the Matrix Auth Strategy. I have no permissions granted to anonymous or authenticated user. Everything is working well. Until… Security discovered anyone in the AD domain can log into Jenkins. I responded with, yes, but they get “access denied” after login because they have no permissions. Sadly, that wasn’t good enough. They want to only allow users with valid permissions (purpose) to log in. I have searched everywhere and cannot find a solution to only allow specific users the ability to login (other than changing back to Jenkins internal DB auth). Any help would be greatly appreciated!

Jenkins setup:
Jenkins: 2.426.2
OS: Windows Server 2019 - 10.0
Java: 21.0.1 - Oracle Corporation (Java HotSpot™ 64-Bit Server VM)


I don’t think this is possible at all with AD plugin (or ldap plugin). This might be possible where user authentication is done externally (saml plugin).
But tell your security that you can use the built-in database but then there is the much bigger risk that people choose weak passwords (I assume you have password policies in AD the enforce strong passwords), and that this causes a lot of maintenance overhead as you can no longer use AD groups and you need to add each user manually.
And you can still access Jenkins anonymously and then can do the same things as a logged in user with no permissions. So it doesn’t add any more security in my eyes when you forbid login.

Thanks Marcus - my thoughts exactly on using the Jenkins internal db. I may have a lead on using the LDAP plugin. I’ll report back after testing.