Adding a Groups Claim to a Service Principal via Azure CLI

Question

It is obvious how to create a Service Principal (App Registration) via Azure CLI:

az ad sp create-for-rbac -n "My Service Principal" --scopes /subscriptions/the-subscription-guid

From the Azure Portal, you can add a Claims Group to the generated service principal, as such:

How can I add this via the Azure CLI at the time of creation of principal or after creating it? I did not find the documentation to do so.

Well according to this [docs](https://learn.microsoft.com/en-us/cli/azure/ad/sp?view=azure-cli-latest) their is no way to ad group claims using azure cli . So as far as I know only the portal path to assigning group claims exists. — Mohit Ganorkar, Jan 29 '23 at 19:47

score 1 · Accepted Answer · answered Jan 31 '23 at 10:53

For a service principal, you can add an optional claim and group claims as follows:

Using command:

az ad app create --display-name "xxx" --optional-claims @manifest.json

Output:

enter image description here

Group Claim:

myjson file:

{
"groupMembershipClaims": "SecurityGroup",
"optionalClaims": {
"saml2Token": [
{
"name": "groups",
"essential": false,
"additionalProperties": []
]
}
],
"idToken": [
{
"name": "groups",
"essential": false
}
]
}
}

Use below Az CLI command:

az ad app update --id "<AppID>" --set groupMembershipClaims=All

Refer MsDoc

Adding a Groups Claim to a Service Principal via Azure CLI

1 Answers1