Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Azure AD issues claims security groups names

Tags:

azure-active-directory

claims-based-identity

I need my Azure AD to issue a claim with security group names. But there are only group object ids come out in the JWT token.

How to get security group names?

What I did so far: 1. Created a test security group and assigned a user to it. This is the only group for this user.

  1. Set the groupMembershipClaims to All (integer 7) as it is in this official document https://docs.microsoft.com/en-us/azure/active-directory/develop/reference-app-manifest

  2. here is the relevant part of the application manifest: { ... "appRoles": [], "availableToOtherTenants": false, "displayName": "Azure AD B2C sandbox App ", "errorUrl": null, "groupMembershipClaims": "All", "optionalClaims": null, "acceptMappedClaims": null,...

like image 638
Michael Chudinov Avatar asked Sep 28 '18 12:09

Michael Chudinov

People also ask

What is group claims in Azure AD?

Overview. Group Claims automatically add the user to a group or remove the user from group memberships when the group claim in the SAML token contains a matching group in NetDocuments. Administrators only need to update group memberships in one place.

Do security groups sync to Azure AD?

Azure AD Connect excludes built-in security groups from directory synchronization. Azure AD Connect does not support synchronizing Primary Group memberships to Azure AD.

What is group claims?

A Group Claim is a lawsuit with many claimants. Claimants can be either companies or individuals. Most commonly a Group Claim will initially focus on one claimant whose circumstances are representative of the others, a type of test case.

Does Azure AD support nested groups?

Nested groups in Azure AD are not supported within all scenarios. When you select a list of groups, you can assign a group expiration policy to a maximum of 500 Microsoft 365 groups. There is no limit when the policy is applied to all Microsoft 365 groups.

2 Answers

You cannot get them in tokens. As you noticed, you only get the ids. Usually this is good, since the id cannot be changed, unlike the name which can change.

If you want to do authorization based on groups, you can set the ids in a configuration file and then check with the id.

If you want the names for some other purpose, you'll need query the groups from Microsoft Graph API. You can find the API documentation here: https://developer.microsoft.com/en-us/graph/docs/api-reference/v1.0/resources/groups-overview

like image 66
juunas Avatar answered Sep 30 '22 21:09

juunas

You can get the AD group name thru Token configuration. By default, it is return Group ID but you can change it to sAMAccountName.

enter image description here

like image 36
Nan Avatar answered Sep 30 '22 21:09

Nan
Sign in to Comment

Related questions

Azure Active Directory won't logout using ASP.NET Core 2.1 MVC
Cypress with Azure AD (MSAL)
Azure AD PostAuthentication add claims
Clarification on how to update (patch) objects using the Microsoft.Graph Client
List of all azure resource types in Azure?
Is it possible to obtain an Azure AD V1 token using MSAL?
What's the equivalent terraform code for Azure AD SP create-for-rbac?
How do I define the SignedOut page in Microsoft.Identity.Web?
AADSTS90093: Does not have access to consent in office365
Create application in Azure Active Directory using graph API fails
Azure AD: How to get group information in token?
Azure AD Owin with Iframe solution
InvalidAuthenticationToken - CompactToken parsing failed with error code: -2147184105
Azure OAuth Login - Was working, now getting AADSTS700022 / AADSTS700023 Errors
Possible to consume AAD authenticated Azure functions from Power Bi and Power Apps?
MVC AD Azure Refresh Token via ADAL JavaScript Ajax and KnockoutJs
Unable to get bearer token from Azure AD to use with API App
How to authorize Node.js API with Azure AD?
Azure AD Application not appearing in existing AD App list for an Azure web application
Custom attributes not shown in user profile in Azure AD B2C

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!