To ensure that the token size doesn't exceed HTTP header size limits, Azure AD limits the number of objectIds that it includes in the groups claim. If a user is member of more groups than the overage limit (150 for SAML tokens, 200 for JWT tokens), then Azure AD does not emit the groups claim in the token. Instead, it includes an overage claim in the token that indicates to the application to query the Graph API to retrieve the user's group membership.
Conceptually, this is similar to Active Directory's capability of including token groups in Kerberos tickets and the file server application allowing users to share access to files with AD security groups. See the new groups claim sample published in the Azure AD samples github repo: https://github.com/AzureADSamples/WebApp-GroupClaims-DotNet Read this deep dive post to learn how you can implement groups claim for your app: http://www.dushyantgill.com/blog/2014/12/10/authorization-cloud-applications-using-ad-groups/
Further, we have integrated application roles with Azure AD common consent framework : Azure AD consent framework already enables web and mobile applications to request for OAuth2Permissions to WebAPIs (e.g. Office 365 APIs). Now, Azure AD also allows web applications and web APIs that act as clients to request for application roles of resource applications to be assigned to them.
See the new application roles sample published in the Azure AD samples github repo: https://github.com/AzureADSamples/WebApp-RoleClaims-DotNet Read this deep dive post to learn how you can implement application roles for your app: http://www.dushyantgill.com/blog/2014/12/10/roles-based-access-control-in-cloud-applications-usi... I hope you'll find these new feature useful for building applications! And as always, we'd love to receive any feedback or suggestions you have. Best Regards, Alex Simons (Twitter: @Alex_A_Simons ) Director of Program Management Microsoft Identity and Security Systems Division
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.