Share via

Azure AD OIDC JWT access token from client credentials grant flow doesn't always contain groups assigned to application

Gow, Ryan 20 Reputation points
2023-06-26T09:01:51.35+00:00

Hi,

I am struggling to consistently get the groups assigned to an application to be present in the OIDC JWT access token issued by Azure AD when using the client credentials grant flow. Sometimes access token contains the groups and sometimes it doesn't even though no configuration has changed. For example, I obtained this token (truncated):

{
  ...
  "iat": 1687768762,
  "nbf": 1687768762,
  "exp": 1687772662,
  ...
  "groups": [
    "3cc4aa96-e09a-41a8-b2a6-161fff2219df"
  ],
  "idtyp": "app",
  "sid": "456684da-851a-436c-a240-e1ee98f9d4e0",
  "sub": "28ae14d0-cbdf-4e92-b79f-3f5036e2fa1f",
  "ver": "2.0"
}

then a few seconds later I send an identical request and I get this token:

}
  ...
  "iat": 1687768784,
  "nbf": 1687768784,
  "exp": 1687772684,
  ...
  "idtyp": "app",
  "sid": "0e5892c2-3a03-4eba-af68-3feebdd7af19",
  "sub": "28ae14d0-cbdf-4e92-b79f-3f5036e2fa1f",
  "ver": "2.0"
}

Notice that the groups are missing. I have confirmed that the subject corresponds to the ID of the service principal.

A couple of points about the configuration:

  • There are no App Roles configured.
  • I have one Azure AD group (3cc4aa96-e09a-41a8-b2a6-161fff2219df) that is assigned to the application.
  • I have added the groups claim in the token configuration. It is configured to only contain the groups assigned to the application. I have tried the other options (All, Security Groups etc.). I have confirmed that the configuration appears correctly in the application manifest.
  • I am using the client credentials grant flow.

How do I consistently get the groups claim to appear in the access token?

Microsoft Security | Microsoft Entra | Microsoft Entra ID
0 comments
Answer accepted by question author
  1. Alfredo Revilla - Upwork Top Talent | IAM SWE SWA 27,536 Reputation points Moderator
    2023-06-28T18:53:01.44+00:00

    Thanks @Gow, Ryan for providing the required information. Your application and authorization request looks fine. As you suggest, the inconsitency in the data returned in your access tokens could be caused by reading from/switching to a seconday replica or data center not yet updated with the latest data. Data updates should take seconds and rarely minutes. Ideally your client should keep being routed to the same data center in order to get consistent (not neccesarily updated) results, however this may not be always the case depending on a number of factors. If the issue persists kindly provide the the x-ms-request-id, x-ms-ests-server and Date response headers for further investigation and debugging.

    Let us know if you need additional assistance. If the answer was helpful, please accept it and rate it so that others facing a similar issue can easily find a solution.

    1 person found this answer helpful.
    0 comments

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Alfredo Revilla - Upwork Top Talent | IAM SWE SWA 27,536 Reputation points Moderator
    2023-06-27T06:51:45.1733333+00:00

    Hello @Gow, Ryan , in order to obtain the Azure AD groups for your application you need to configure the optional claim in the target resource/application. So, if you have application A targeting application B then application B needs to configure the groups optional claim. If application A is targeting itself then application A needs to configure the groups optional claim.

    Let us know if you need additional assistance. If the answer was helpful, please accept it and rate it so that others facing a similar issue can easily find a solution.

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.