25,234 questions
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(128, 8%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
Hi,
Was there a solution found for this issue?
App registration group claim is not shown in Enterprise app Single sign-on blade (Portal) in diferent directory (tenant)
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(70.4, 7.000000000000001%, 16%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EOB%3C/text%3E%3C/svg%3E)
Oliver Balun
51
Reputation points
Hello,
I'd like to ask about Enterpise apps and their Single sign-on blade. I have App registration created correctly with optional groups claim Token configuration as shown below:
This App registration has its corresponding Enterprise app created in the same directory (tenant) -> this Enterprise app has shown the groups claim in Single sign-on blade (Attributes & Claims) and this groups claim can be configured via Portal as shown below:
But problem is when I use this App registration for another different directory (tenant). Enterprise app created there in the different directory has not any claims shown in Single sign-on blade (Attributes & Claims) nor any possibility to add it. The Add a group claim button doesn't work (is grey and I cannot click on it). This button also doesn't work in any other Enterprise apps nor directories (tenants). Is there anything wrong with this button for me? Because the documentation says, that button can be also used for this purpose that I am trying to accomplish. -> https://learn.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-fed-group-claims#add-group-claims-to-tokens-for-saml-applications-using-sso-configuration
I would expect that these claims would be inherited to all Enterprise apps across all tenants as it is pre-defined in App registration from which these Enterprise apps are created.
I need to use this claims definition to filter groups that would be emitted into JWT token so it wouldn't exceed the number of 200 groups (OIDC) which is a limit - as documentation says . -> https://learn.microsoft.com/en-us/azure/active-directory/develop/active-directory-optional-claims#configuring-groups-optional-claims
Please let me know what am I missing, thank you for your help.
Microsoft Security | Microsoft Entra | Microsoft Entra ID
{count} vote
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(44.800000000000004, 78%, 14%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESG%3C/text%3E%3C/svg%3E)
Sandeep G-MSFT 20,921 Reputation points Microsoft Employee Moderator2023-02-28T04:09:02.0666667+00:00 Thank you for reaching out to us in Microsoft Q&A.
I apologize for the delay on this. I am looking into this issue and will revert back to you soon
-
Oliver Balun 51 Reputation points
2023-03-27T15:25:54.8066667+00:00 Hello
I believe that you haven't forgotten this issue. Is there any progress with my problem please?
Thank you
-
Sandeep G-MSFT 20,921 Reputation points Microsoft Employee Moderator
2023-04-11T03:57:57.16+00:00 @Oliver Balun Let set up some time to work on this issue offline.
Please send us an email on azcommunity [at] microsoft [dot] com with Sub - Attn: Sandeg and following details in the email body: Link to this thread/post We can connect offline and discuss further on this.
Sign in to comment