Share via

Configure Entra ID for Client Credentials Flow Access Token to contain Groups claim

Bjorn Ahlstedt 20 Reputation points
2025-02-17T15:44:47.8466667+00:00

Hi,

I have been able to configure Microsoft Entra ID to emit the groups optional claim for User login Auth Code flow, but am struggling to replicate this using the Client Credential flow.

Setup:

  1. App Registration A (the sign in Security Principal)
    1. configured with Client Secret
    2. API permissions - to add App Registration B's custom Application Roles into roles claim
  2. App Registration B (the target API that requires groups claim)
    1. Custom App Roles configured as 'Application' to allow to be assigned directly to a token (see 1b)
    2. Token configuration
      1. Groups claim - configured as Groupsto limit to those Groups that are only directly assigned
  3. Group C
    1. Added the Service Principal - App Registration A to this group as a direct member

My logic being, that since I am identifying in this flow as App Registration A then my group membership should be carried across when I am using the scope in the Access token request api://{app registration id B}/.default

When this did not add it to the claim, I did add App Registration B to also be a Direct member of the Group C, but again this made no difference?

What configuration am I missing here ?

[Edit]: Changing 2bi to Security seems to make this work as expected - so the piece that is missing I am guessing is "how to directly assign an App registration as a Service Principal to another App Registration to allow this to be returned in direct group claims?" If this is possible!?

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
23,322 questions
Accepted answer
  1. Danstan Onyango 3,896 Reputation points Microsoft Employee
    2025-02-18T10:03:34.3933333+00:00

    As you have pointed out, the Group has to be a Security Group or a Distribution list for it to appear in the toke group claim.

    Only groups ie (security groups, directory roles or distribution lists) will be in the group claim not application ids.

    In your scenario,
    Best solution:

    • Have App B (Target API) Look for custom roles in the token
    • Create custom roles on App B registration
    • Assign the roles to a Security Group X (on App B's Service Principal)
    • Add App A to the Security Group X. As long as App A is a member of Security Group X, the roles assigned to that Group on App B will be in the token requested with scope api://{app registration id B}/.default

    Note that by just having App A in Security Group X, the token will have group id for Security Group X because App A is a member(this does not depend on App B's relation to this Group).

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.