Menu
I have an Azure Web Application with Azure Active Directory authentication (made with adal-angular);
In the application manifest i have set "groupMembershipClaims": "SecurityGroup"
The strange thing is that for some days, for just a user, it does not have the group claim in the AAD token with the list of group membership objectIds, but instead there's a property named hasgroups with value true.
Can I do something about it? For now I'm going to check if there's one property or the other and then call GraphAPI for direct group membership.
336
Nested groups in Azure AD are not supported within all scenarios. When you select a list of groups, you can assign a group expiration policy to a maximum of 500 Microsoft 365 groups. There is no limit when the policy is applied to all Microsoft 365 groups.
Group Claims automatically add the user to a group or remove the user from group memberships when the group claim in the SAML token contains a matching group in NetDocuments. Administrators only need to update group memberships in one place.
Azure AD Security Groups are analogous to Security Groups in on-prem Windows Active Directory. They are Security Principals, which means they can be used to secure objects in Azure AD. They can be created natively in Azure AD, or synced from Windows AD with Azure AD Connect.
Token types. Azure AD B2C supports the OAuth 2.0 and OpenID Connect protocols, which makes use of tokens for authentication and secure access to resources. All tokens used in Azure AD B2C are JSON web tokens (JWTs) that contain assertions of information about the bearer and the subject of the token.
hasGroups=true is returned in the case where there the user belongs to "too many groups". I don't know what the exact threshold is (20? 200?) but effectively what you need to do in your code is something along the lines of (pseudocode):
if (hasGroups)
Call the Graph to inquire:
Either about the full group membership OR
About membership to a particular group
else
Access groups directly from the token
Get all the groups a users belongs to:
https://graph.windows.net/myorganization/users/{user_id}/$links/memberOf?api-version
Inquire whether the user belongs to a specific group:
https://graph.windows.net/myorganization/users/{user_id}/isMemberOf?api-version
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
