Token Config Options in Azure App Registrations : Token Config

Richard Scannell 361 Reputation points
2020-08-03T14:28:37.943+00:00

I have been exploring the Token Config options in Portal.Azure.Com \ App Registrations

Underneath Add groups claims is the facility to customise token properties by type.
I was hoping to be able to change the values returned for the groups,
from the default option, which is a GUID, to something which is more easily understandable.

I have tried the options
Group ID
sAMAccountName
NetBIOSDomain\sAMAccountName
DNSDomain\sAMAccountName
On Premises Group Security Identifier

but the data returned is always a GUID. Is this the expected behaviour, or am I doing something wrong?

Thanks in advance

Cheers Richard

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
22,182 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. soumi-MSFT 11,786 Reputation points Microsoft Employee
    2020-08-04T10:25:33.15+00:00

    @Richard Scannell , Thank you for reaching out. For the group claims, the following points need to be checked:

    • The group must be synced from On-Prem AD to Azure AD.
    • When the group is synced, its sAMAccountName must be synced to Azure AD.
    • If the group is created on Azure AD itself, for that Group, you would only get the GUID (object ID of the Group)
    • Once the group's sAMAccountName is synced to Azure AD, make sure in the Token Configuration section you have selected the appropriate option for eg: sAMAccountName or NetbiosDomain\sAMAccountName

    You can find the description of the available options here:

    • Azure Active Directory Group ObjectId (Available for all groups)
    • sAMAccountName (Available for groups synchronized from Active Directory)
    • NetbiosDomain\sAMAccountName (Available for groups synchronized from Active Directory)
    • DNSDomainName\sAMAccountName (Available for groups synchronized from Active Directory)
    • On Premises Group Security Identifier (Available for groups synchronized from Active Directory)

    More details can be found here: https://learn.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-fed-group-claims#group-claims-for-applications-migrating-from-ad-fs-and-other-identity-providers

    Hope this helps.

    Do let us know if this helps and if there are any more queries around this, please do let us know so that we can help you further. Also, please do not forget to accept the response as Answer; if the above response helped in answering your query


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.