Issue with Regex custom group claim

Brule, Joshua L. (Josh) 0 Reputation points
2024-11-12T23:55:43.2166667+00:00

For most users this works fine and returns the teams claim as expected. My account has 186 groups and has no issues. However we have a user with 305 group memberships and the claim is failing to be created and instead we are getting a claim named: [http://schemas.microsoft.com/claims/groups.link], after filtering this user should only have around 30 groups in the claim.

I am aware of the 150 group limit (I believe that is after filtering) but it doesn't seem to be an issue judging by the success of my account (186 groups) so I was wondering if there is a known limit when using Regex Replacement Pattern

The documentation for Regex Replacement Pattern notes -> "You can also use the regex transform feature as a filter, because any groups that don't match the regex pattern will not be emitted in the resulting claim."

The application assigned groups are being exposed as [roles] user.assignedroles. We want these regex filtered groups to be passed for [teams] assignment within the app.

Screenshot 2024-11-12 at 5.46.19 PM

Screenshot 2024-11-12 at 5.37.44 PM

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
22,421 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Raja Pothuraju 8,970 Reputation points Microsoft Vendor
    2024-11-13T03:52:06.97+00:00

    Hello @Brule, Joshua L. (Josh),

    Thank you for posting your query on Microsoft Q&A.

    Based on your description, I understand that you have added a custom Regex group claim to your SAML application. This claim is being correctly passed for all users except one, who has 305 group assignments. In the SAML response for this particular user, you’re seeing a claim with the name http://schemas.microsoft.com/ws/2008/06/identity/claims/groups containing around 30 group IDs, instead of the expected "teams" claim. The primary difference between the working and non-working scenarios seems to be the higher number of groups assigned to this user.

    To further understand the issue, could you try using "Groups assigned to the application" rather than selecting "All groups"? This might help us determine if limiting the scope of group claims resolves the problem.

    Thanks,
    Raja Pothuraju.


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.