How do I add custom group attributes in Entra?

Question

How do I add custom group attributes in Entra?

Ryan Esch 20

I have created security groups in Entra, and I want to add attributes to these groups, specifically sAMAccountName because I want to mimic Active Directory. This is a test environment, but production will be connected to AD. The goal is to be able to edit the group claim to return sAMAccountName instead of groupId, but that won't work unless the groups have sAMAccountName.

User's image

1 answer

Your answer

Answer 1

Goutam Pratti 6,170 Microsoft External Staff Moderator

Hello @Ryan Esch ,

Thank you for reaching out Microsoft Q&A.

I Understand you have created security groups in Entra, and you want to add attributes to these groups, specifically sAMAccountName because you want to mimic Active Directory. This is a test environment, but production will be connected to AD. The goal is to be able to edit the group claim to return sAMAccountName instead of groupId, but that won't work unless the groups have sAMAccountName.

sAMAccountName and on-premises GroupSID attributes are available only on group objects synced from Active Directory. They aren't available on groups created in Microsoft Entra ID or Office 365. Applications configured in Microsoft Entra ID to get synced on-premises group attributes get them for synced groups only.

The supported formats for group claims are:

Microsoft Entra group ObjectId: Available for all groups.
sAMAccountName: Available for groups synchronized from Active Directory.
NetbiosDomain\sAMAccountName: Available for groups synchronized from Active Directory.
DNSDomainName\sAMAccountName: Available for groups synchronized from Active Directory.
On-premises group security identifier: Available for groups synchronized from Active Directory.

User's image

for additional information: https://learn.microsoft.com/en-us/entra/identity/hybrid/connect/how-to-connect-fed-group-claims#group-claims-for-applications-migrating-from-ad-fs-and-other-identity-providers

Hope this helps. Do let us know if you any further queries.

If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know.

Regards,
Goutam Pratti.

Ryan Esch 20 Reputation points

2024-12-20T11:22:26.4433333+00:00

@Goutam Pratti Okay. Is there a way for me to return group names instead of groupId for security groups created in Entra?
Return as in when I get a token.
Goutam Pratti 6,170 Reputation points Microsoft External Staff Moderator

2024-12-23T09:26:33.0333333+00:00
Hello @Ryan Esch ,

Thank you for reaching out Microsoft Q&A.

Yes, there a way for me to return group names instead of groupId for security groups created in Entra.

You can follow the steps to achieve:

Assign the Security cloud group to the application.

Select Add a group claim > Groups assigned to the application > Source-attribute>Cloud-only group display names > Save

As you can see from the above, I can be able to get the group name claim as I have tried in my tenant

NOTE: It is only possible for Cloud group only

For Additional information follow: https://learn.microsoft.com/en-us/entra/identity/hybrid/connect/how-to-connect-fed-group-claims#emit-cloud-only-group-display-name-in-token

Hope this helps. Do let us know if you any further queries.

If this answers your query, do click Accept Answer and Yes for the above answer helpful. And, if you have any further query do let us know.

Regards,
Goutam Pratti.
Ryan Esch 20 Reputation points

2024-12-23T12:48:12.1733333+00:00

@Goutam Pratti I am using OIDC, so my group claim page looks likek this:
Goutam Pratti 6,170 Reputation points Microsoft External Staff Moderator

2025-01-03T03:39:36.58+00:00
Hello @Ryan Esch ,

Thank you for reaching out Microsoft Q&A.

I understand you want to return group names instead of groupId for security groups created in Entra using OIDC Application.

In the portal, select Identity > Applications > App registrations > Select Application > Manifest.

To emit group display name for cloud-only groups, you can add "cloud_displayname" to additional properties. This option will work only when “groupMembershipClaims” is set to ApplicationGroup

Click on Save.

For additional information you can follow: https://learn.microsoft.com/en-us/entra/identity/hybrid/connect/how-to-connect-fed-group-claims#configure-the-microsoft-entra-application-registration-for-group-attributes

Hope this helps. Do let us know if you any further queries.

If this answers your query, do click Accept Answer and Yes for the above answer helpful. And, if you have any further query do let us know.

Regards,
Goutam Pratti.
Goutam Pratti 6,170 Reputation points Microsoft External Staff Moderator

2025-01-06T22:49:32.91+00:00

Hello @Ryan Esch ,

Following up to see if the above suggestion was helpful. And, if you have any further query do let us know.
Goutam Pratti 6,170 Reputation points Microsoft External Staff Moderator

2025-01-07T20:00:05.1566667+00:00

Hello @Ryan Esch ,

Following up to see if the above suggestion was helpful. And, if you have any further query do let us know.
Ryan Esch 20 Reputation points

2025-01-17T19:45:48.3333333+00:00

Sorry for the late response - that did not work. But I'm not confident I'm doing everything correctly.

Share via

How do I add custom group attributes in Entra?

1 answer

Your answer