Adding custom claim to id token based on group membership existence on Azure AD

Sami Altundag 21 Reputation points
2019-12-01T12:07:38.973+00:00

I have an (external to Azure) company application to integrate with AzureAD through OIDC. The requirement is to add a custom claim to id_token if the user is in a specific group in AD. For example if the user is in the group "Admins", I need to add the following custom claim to id_token.

"Admin": "Yes"

I am reading the below page to do that; However I could not find any relevant example for groups. Can you share an example for doing this? If this is not possible in the exactly same way, I 'd like to know the alternative solution for putting specific groups to id_token please.

https://learn.microsoft.com/en-us/azure/active-directory/develop/active-directory-claims-mapping

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
20,178 questions
0 comments No comments
{count} votes

Accepted answer
  1. AmanpreetSingh-MSFT 56,461 Reputation points
    2019-12-02T08:42:27.793+00:00

    @Sami Altundag ,

    This is not possible with Azure AD. You can pass optional claims but the provisioning for transforming claims on the basis of group membership is not available as of now.

    As an alternative, you can configure app roles in the application manifest and pass it in the token. Below is an example of how to add Writer role in app, similarly you can create Admin role. Refer to How to: Add app roles in your application and receive them in the token for more details.

    Below is how the app roles appear in the token:
    alt text

    Another alternative solution would be to pass all the groups in the token and configure the application to make authorization decisions based on the group claims.

    Hope this information would help.

    1 person found this answer helpful.

0 additional answers

Sort by: Most helpful