This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(240, 15%, 33%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ED%3C/text%3E%3C/svg%3E)
IN azure AD, we can put group claim in ID token through azure AD easily. Do we have similar function to add group claim to ID token in azure AD B2C without custom programming?
Thanks.
Hello @dwang
Thank you for your post
If i understood correctlly your concern, I would give you the next info for you to get it done as shown below:
Looking forward to your feedback,
Best Regards,
Please "Accept the answer" if the information helped you. This will help us and others in the community as well.
where in the tutorial link from you show "adding group claim?
hi, based on my experience, group claim without custom programming is available in azure AD, but not in Azure B2c. I wonder what is the reason engineer from Microsoft doesn't know.
Hi @dwang
Thanks for your answer.
I just wanted to gather you the next info below:
https://mrochon.azurewebsites.net/2019/05/06/using-groups-in-azure-ad-b2c/
There you will see about Add a new claim....
I did not want to pretend being a MS engineer, I am just a volunteer : )
Hope this helps...
BR,
Please "Accept the answer" if the information helped you. This will help us and others in the community as well.
Thanks for the info.
For the API I call, if I need to provide certificate to connect to the API, how do I integrate certificate in my custom policy to make the API connection working?
Hi @dwang • Yes, Group Claims are not available out-of-the-box with Azure AD B2C.
In standard Azure AD tenants, Group Claim can be returned by configuring it Token Configuration blade of the registered application but in Azure AD B2C you cannot do that because the token issuance is handled via IEF so the group claim must be added as an output claims to the user flow or custom policy.
As of now, there is no option to get the Group claim in the token issued via standard user flows and a custom policy needs to be used for this purpose.
In order to get the group claim, you need to use Custom Policy that makes the below Graph call via a RESTful Technical Profile to get the user's group membership and return all groups the user belongs to.
https://graph.microsoft.com/v1.0/users/aabd55a9-bf43-4838-8246-643d42410f6b/memberOf?$select=displayNamehttps://graph.microsoft.com/v1.0/users/obj_id_of_the_user/memberOf?$select=displayName
Where the value for obj_id_of_the_user can be provided as an input claim to the RESTful technical profile and this technical profile should be configured to return the group claim as a string collection, which can then be added to the claims bag to be returned in the token issued to the relying party.
Feel free to tag me in your reply if you have any questions.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(201.6, 53%, 29%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ER%3C/text%3E%3C/svg%3E)
Can you provide a complete example of the components required to get this to work?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(313.6, 54%, 40%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EES%3C/text%3E%3C/svg%3E)
Hi @AmanpreetSingh-MSFT thank you for your response. I was able to do that that you metioned. Making a call to API Graph with a REST-full technical profile.
The issue for me now is how to parse the dynamic content of the StringCollection to pass it to the RelyingParty policy.
I can return the "groups" claim that is a StringCollection with all user's group, but this is actually a complex JSON that the backend app can't parse to get the specific groups.
I found an example where you can solve it using transformationsClaims (https://github.com/azure-ad-b2c/samples/tree/master/policies/groups/policy), BUT it is not enough for my case because in general a user could have dynamic amount of groups. So I need something that iterate inside the StringCollection.
Tell me if you understand my issue.
Thank you!
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(25.6, 0%, 12%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EDL%3C/text%3E%3C/svg%3E)
Did you get any help here Esteban Sandoval? Have query here, What will be the value in the "value" in the above script? as i see "value[0].displayName" gives you the first group name. is it
{"Value":[{"id":1,"displayName":"Group1"}]}
If yes, then the Token claim still hold it, a group check in the code level can iterate & check . Isn't it a proper way?
i am also looking something like this. AmanpreetSingh-MSFT If anything new has been released by MSFT to get the group claim?