Azure AD issues claims security groups names

Question

I need my Azure AD to issue a claim with security group names. But there are only group object ids come out in the JWT token.

How to get security group names?

What I did so far: 1. Created a test security group and assigned a user to it. This is the only group for this user.

Set the groupMembershipClaims to All (integer 7) as it is in this official document https://learn.microsoft.com/en-us/azure/active-directory/develop/reference-app-manifest
here is the relevant part of the application manifest: { ... "appRoles": [], "availableToOtherTenants": false, "displayName": "Azure AD B2C sandbox App ", "errorUrl": null, "groupMembershipClaims": "All", "optionalClaims": null, "acceptMappedClaims": null,...

score 7 · Accepted Answer · answered Sep 28 '18 at 12:50

7

You cannot get them in tokens. As you noticed, you only get the ids. Usually this is good, since the id cannot be changed, unlike the name which can change.

If you want to do authorization based on groups, you can set the ids in a configuration file and then check with the id.

If you want the names for some other purpose, you'll need query the groups from Microsoft Graph API. You can find the API documentation here: https://developer.microsoft.com/en-us/graph/docs/api-reference/v1.0/resources/groups-overview

answered Sep 28 '18 at 12:50

juunas

54,244
13
113
149

Thank you. In our case this is not good. Yes we do authorization based on group membership and name is the ONLY group property in Azure AD/on-premises AD that can be customized. We work in a multi-tenant environment with multiple IdPs and group names should be same in different ADs tenants. Otherwise how can we authorize users based on groups? Only names are available. To keep and update the list of all possible ID security groups is technologically and organizationally very complicated for different Idps/ADs/organisations. – Michael Chudinov Sep 28 '18 at 12:55
2

Sounds like you have roles which you want customers' admins to be able to set? You should consider adding user roles to your app: https://joonasw.net/view/defining-permissions-and-roles-in-aad. These can then be assigned by a tenant admin, and you'll know what the values in the token will be. – juunas Sep 28 '18 at 18:23

score 2 · Answer 2 · answered Nov 20 '20 at 20:23

2

You can get the AD group name thru Token configuration. By default, it is return Group ID but you can change it to sAMAccountName.

answered Nov 20 '20 at 20:23

Nan

141
1
2
8

Did you click on "Add groups claim"? – Nan Dec 07 '20 at 20:27
3

Looks like Azure AD group doesnt support for now. The group name only appear if it comes from on-premise AD. – beewest Dec 09 '20 at 00:47

score 1 · Answer 3 · answered Feb 11 '20 at 21:32

You can not receive group display names inside your id_token.

But you can query group properties, like group display name from another api, in this case ms graph api.

Here is what I did to query groups display name from ms graph api..

Thanks

/// <summary>
/// Translate group.Id list received on id_token into group.DisplayName list
/// </summary>
/// <param name="groupIdList"></param>
/// <returns></returns>
public override List<string> TranslateGroupNames(List<string> groupIdList)
{
    // validations
    if (groupIdList == null || groupIdList.Count == 0)
        return groupIdList;

    if (string.IsNullOrEmpty(Configuration.ClientID))
        throw new InvalidOperationException("A configuração 'ClientID' não pode ser vazia.");

    if (string.IsNullOrEmpty(Configuration.ClientSecret))
        throw new InvalidOperationException("A configuração 'ClientSecret' não pode ser vazia.");

    if (string.IsNullOrEmpty(Configuration.TokenEndpoint))
        throw new InvalidOperationException("A configuração 'TokenEndpoint' não pode ser vazia.");

    if (string.IsNullOrEmpty(Configuration.TenantID))
        throw new InvalidOperationException("A configuração 'TenantID' não pode ser vazia.");

    // acquire a brand new access_token via client_credentials, especificly to ms graph api
    var clientCredentialsRequest = new ClientCredentialsTokenRequest();
    clientCredentialsRequest.Address = Configuration.TokenEndpoint;
    clientCredentialsRequest.ClientId = Configuration.ClientID;
    clientCredentialsRequest.Scope = "https://graph.microsoft.com/.default";
    clientCredentialsRequest.ClientSecret = Configuration.ClientSecret;

    var accessTokenResponse = _httpClient.RequestClientCredentialsTokenAsync(clientCredentialsRequest).Result;
    if (accessTokenResponse.IsError)
        throw new InvalidOperationException($"Falha ao recuperar AcessToken. {accessTokenResponse.Error}: {accessTokenResponse.ErrorDescription}");

    // set access_token on httpclient
    _httpClient.SetBearerToken(accessTokenResponse.AccessToken);

    var result = new List<string>(groupIdList.Count);

    // query ms graph api to recover group info
    foreach (var groupId in groupIdList)
    {
        var url = $"https://graph.microsoft.com/v1.0/{Configuration.TenantID}/groups/{groupId}";
        var groupResponse = _httpClient.GetAsync(url).Result;
        if (!groupResponse.IsSuccessStatusCode)
            throw new InvalidOperationException($"Falha ao recuperar grupo. {groupResponse.ReasonPhrase}");

        var jsonString = groupResponse.Content.ReadAsStringAsync().Result;
        var group = JsonConvert.DeserializeObject<dynamic>(jsonString);
        if (group?.displayName?.Value == null)
            throw new InvalidOperationException($"Grupo inválido");

        // get group display name
        result.Add(group.displayName.Value);
    }

    return result;
}

Azure AD issues claims security groups names

3 Answers3

Linked