Azure Role-based access control
An Azure service that provides fine-grained access management for Azure resources, enabling you to grant users only the rights they need to perform their jobs.
981 questions
How to get group/role claim in ID token from Azure B2C?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(22.400000000000002, 78%, 12%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESS%3C/text%3E%3C/svg%3E)
Shubham Singh
1
Reputation point
I followed these steps to get a custom claim in ID token with name 'extension_6de6a54XXXXX4560b9d65731ce869be4_Role'. But, my expected output is 'groups' claim or 'role' claim information.
I tried customMappingPolicies to map this ID token claim 'extension_6de6a54XXXXX4560b9d65731ce869be4_Role' with the 'groups' claim. But, following this documentation steps does not seem to affect the issued ID token from B2C.
When I found this answer that explains getting group membership using custom policies. I got stuck on the step where entering below details for microsoft graph in file TrustFrameworkExtensions.xml. I don't have answer to question like
- Should I enter a microsoft graph endpoint in ServiceUrl?
- How will AccessToken be supplied?
- How will JSON response be fetched and output be passed in token?
<TechnicalProfile Id="REST-RBAC">
<DisplayName>Read and validate user's groups</DisplayName>
<Protocol Name="Proprietary" Handler="Web.TPEngine.Providers.RestfulProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null" />
<Metadata>
<!-- Demo: Change the service URL with your REST API location -->
<Item Key="ServiceUrl">https://graph.microsoft.com/v1.0/users/{objectId}/getMemberGroups</Item>
Demo: Change the AuthenticationType to basic or ClientCertificate.
For more information, see: https://learn.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-custom-rest-api-netfw-secure-cert
<Item Key="AuthenticationType">Bearer</Item>
<Item Key="SendClaimsIn">Url</Item>
</Metadata>
<InputClaims>
<InputClaim ClaimTypeReferenceId="objectId" />
<!--Demo: set the DefaultValue to empty string or comma delimiter list
of security groups to validate-->
<!-- <InputClaim ClaimTypeReferenceId="onlyMembersOf" DefaultValue="admins" /> -->
</InputClaims>
<OutputClaims>
<OutputClaim ClaimTypeReferenceId="groups" />
</OutputClaims>
<UseTechnicalProfileForSessionManagement ReferenceId="SM-Noop" />
</TechnicalProfile>
NOTE: I don't want my application to handle https request just for one piece of information that I can get in token.
Thanks In Advance.
Azure Role-based access control
Microsoft Security | Microsoft Entra | Microsoft Entra External ID
Microsoft Security | Microsoft Entra | Microsoft Entra ID
25,206 questions
{count} votes
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(278.4, 57.00000000000001%, 36%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESS%3C/text%3E%3C/svg%3E)
Shashi Shailaj 7,631 Reputation points Microsoft Employee Moderator2021-05-31T17:43:06.983+00:00 Are you still having this issue? Please let us know and we will try to help on the same.
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(0, 93%, 10%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EKB%3C/text%3E%3C/svg%3E)
Karina Borlaug 1 Reputation point2021-07-13T12:04:02.45+00:00 I am stuck on this same issue. Would love info on how to query the Microsoft graph in custom policies to get app roles in output claims
Sign in to comment
Sign in to answer