Enterprise App group claim

Akin Ajewole 21 Reputation points
2020-03-05T12:58:20.7+00:00

I need to pass all the groups in the token and configure the application to make authorization decisions based on the group claims.

I have followed all the doc about configuring group claim with no luck.

3813-groupclaim.png

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,092 questions
{count} votes

Accepted answer
  1. AmanpreetSingh-MSFT 56,286 Reputation points
    2020-03-06T06:23:50.837+00:00

    @Akin Ajewole Based on your current configuration, Group claim will be passed as Role claim in the token. If you want to pass it as group claim, you need to uncheck "Emit groups as role claims".

    If you want to pass Group claim as Role but you are not getting all groups listed in token, be informed that there is a limit of 150 groups for a SAML token, and 200 for a JWT. If user is member of more groups than this limit, that can lead to unpredictable results. I have seen list of groups replaced with Graph API link to query groups.

    If that is also not the case, make sure you have "onPremisesSamAccountName" attribute synced to Azure AD with value of SamAccountName specified in your on-prem AD. To check this:

    1. Go to https://developer.microsoft.com/en-us/graph/graph-explorer and login with your Global Admin account by clicking on Sign-in with Microsoft button on the left.
    2. Use GET call > https://graph.microsoft.com/beta/groups/Object_ID_of_the_Group
    3. In the response, make sure you should see appropriate value populated.

    -----------------------------------------------------------------------------------------------------------

    Please "Accept as answer" wherever the information provided helps you to help others in the community.


1 additional answer

Sort by: Most helpful
  1. AmanpreetSingh-MSFT 56,286 Reputation points
    2020-03-06T17:26:11.377+00:00

    @Akin Ajewole This is happening because of the limit of 150 groups for a SAML token and 200 for a JWT. To confirm this, try creating a new user account and add it to few groups (5-10 for testing purpose). I am sure those groups will be emitted in token.

    -----------------------------------------------------------------------------------------------------------

    Please "Accept as answer" wherever the information provided helps you to help others in the community.