Enterprise App group claim

Question

I need to pass all the groups in the token and configure the application to make authorization decisions based on the group claims.

I have followed all the doc about configuring group claim with no luck.

Answer 1

@Akin Ajewole Based on your current configuration, Group claim will be passed as Role claim in the token. If you want to pass it as group claim, you need to uncheck "Emit groups as role claims".

If you want to pass Group claim as Role but you are not getting all groups listed in token, be informed that there is a limit of 150 groups for a SAML token, and 200 for a JWT. If user is member of more groups than this limit, that can lead to unpredictable results. I have seen list of groups replaced with Graph API link to query groups.

If that is also not the case, make sure you have "onPremisesSamAccountName" attribute synced to Azure AD with value of SamAccountName specified in your on-prem AD. To check this:

1. Go to https://developer.microsoft.com/en-us/graph/graph-explorer and login with your Global Admin account by clicking on Sign-in with Microsoft button on the left.
2. Use GET call > https://graph.microsoft.com/beta/groups/Object_ID_of_the_Group
3. In the response, make sure you should see appropriate value populated.

-----------------------------------------------------------------------------------------------------------

Please "Accept as answer" wherever the information provided helps you to help others in the community.

Answer 2

@Akin Ajewole This is happening because of the limit of 150 groups for a SAML token and 200 for a JWT. To confirm this, try creating a new user account and add it to few groups (5-10 for testing purpose). I am sure those groups will be emitted in token.

-----------------------------------------------------------------------------------------------------------

Please "Accept as answer" wherever the information provided helps you to help others in the community.