Azure AD show group name in id token instead of group id

Question

My id token has group (as role) ids only

"roles": [
    "729b24b5-c527-440e-9ef6-81a04415e7ba",
    "8d4f9343-10c3-43a2-9efe-34cfd740d020",
    "81715416-9be4-43d7-807a-d5ccc9420cf7",
    "1b5e6d7b-0ee0-4212-a5b9-cd5c3ca07a4a"
  ],

Even set to sAMAccountName

Any idea to return the group names instead?

Answer 1

This is relatively old, but there's answer to that.

You can translate your groups to names by adjusting your application manifest.

Go to your application manifest via Applications and SSO options, you should see there "Manifest option" it should return a JSON which you can modify.

The important bit is in the optionalClaims, you need to add to your groups.additionalProperties section cloud_displayname option like this:

...
    "optionalClaims": {
        "idToken": [
            {
                "name": "preferred_username",
                "source": null,
                "essential": false,
                "additionalProperties": []
            },
            {
                "name": "groups",
                "source": null,
                "essential": false,
                "additionalProperties": [
                    "sam_account_name",
                    "emit_as_roles",
                    "cloud_displayname"
                ]
            }
        ],
...

Answer 2

If you are expecting group names in the claims of ID/Access/SAML token, unfortunately currently that is not supported due to some limitations. You would only have the object ids (guid) of the groups in the claim for AAD managed groups.

If you absolutely need group names for your purpose, consider a separate Graph API call to list group memberships of a user.

Also feel free to upvote on the feature request of group names in claims here.

Please refer to this similar question