cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Move even more apps to Azure AD: Public preview of group claims!
By
Alex Simons (AZURE)
Published Apr 24 2019 09:00 AM 14.1K Views
Alex Simons (AZURE)
Microsoft
‎Apr 24 2019 09:00 AM

Move even more apps to Azure AD: Public preview of group claims!

‎Apr 24 2019 09:00 AM

Howdy folks,

 

I’m excited to announce the public preview of group claims in SAML and OIDC/OAuth tokens issued by Azure Active Directory (Azure AD). This feature is designed to allow you to move applications from Active Directory Federation Services (AD FS) or another identity provider to Azure AD.

 

Some applications expect to receive a user’s group membership information as claims in the token. When using groups from Windows Active Directory Domain Services, these claims typically use the group’s sAMAccountName from the on-premises Active Directory or the group’s on-premises group security identifier (SID). These attributes were used to support applications and clients in previous versions of Windows and are still in use today. By configuring Azure AD to emit the same group details in claims as the application previously received, you can move the application to work directly with Azure AD and take advantage of the identity-based security capabilities that Azure AD offers.

 

As part of this release, group claim configuration is now part of the Enterprise Applications single sign-on (SSO) configuration in the Azure portal for SAML applications. This allows you to easily configure options for the format of these claims and to customize the SAML attribute names for group data.

 

To configure an application to receive group claims from on-premises groups:

 

  1. If you want to use on-premises group names or SIDs, be sure you are running the latest version of AD Connect to synchronize Windows Active Directory with Azure AD. Support for synchronizing the on-premises group attributes required for these claims was added in version 1.2.70 (December 2018).
  2. In the Azure portal, signed in with a role capable of managing applications, go to the Azure Active Directory > Enterprise applications blade, and then select the application that you wish to configure for group claims.
  3. Click Single sign-on and then User Attributes and Claims.
  4. Next to Groups returned in token, select the Edit

Public preview of group claims 1.png

 

Public preview of group claims 2.png

 

You can specify the groups that will be included in the token, the format that will be used, and you can customize the SAML attribute name for the group claims.

 

While OIDC/OAuth applications less commonly use this functionality, it’s also available in the application manifest in the Application Registration.

 

Our documentation for integrating an application that requires group claims with Azure AD covers both SAML and OIDC/OAuth.

 

Let us know what you think in the comments below. We’re always keen to hear any feedback or suggestions you have.

 

Best regards,

 

Alex Simons (@Alex_A_Simons )

Corporate VP of Program Management

Microsoft Identity Division

8 Comments
Tony Roth
Brass Contributor
‎Apr 24 2019 09:31 AM
‎Apr 24 2019 09:31 AM

Wow this is cool,  is there a way to do something like the following with azure ad.  So groups that start with CA_ are passed.

 

c:[Type == "http://schemas.xmlsoap.org/claims/Group", Value =~ "(?i)CA_"]
=> issue(claim = c);

 

The rp was too lazy to fix their code in this case so we had to do this, this is holding us up from moving our last adfs based rp.

thanks

 

 

 

0 Likes
Like
paulgarn
Microsoft
‎Apr 24 2019 02:32 PM
‎Apr 24 2019 02:32 PM

@Tony Roth We're working on further enhancements to this, and in particular the ability to scope the set of groups included in the token to those the app is interested in.  We'll likely use direct assignment rather than string matching.  No ETA yet, but watch this space !

Tony Roth
Brass Contributor
‎Apr 24 2019 02:36 PM
‎Apr 24 2019 02:36 PM

Sounds good thanks for the response.

0 Likes
Like
Micki Wulffeld
Brass Contributor
‎Apr 24 2019 11:04 PM
‎Apr 24 2019 11:04 PM

I had the problem with the maximum group limit emitted in the token (150 groups i believe), and then the token consists of a link pointing to MS Graph.

The remote SP can't resolve this link and then the claim fails to work.

How can i mittigate this?
How can i emit more groups in the token?

My workarround to this problem was by creating custom ApplicationRoles inside my custom Enterprise Application, and assigning them to my sync'ed AD groups.

 

 

Michael Med
Copper Contributor
‎Apr 25 2019 01:14 AM
‎Apr 25 2019 01:14 AM

Great to see the SAML/OAuth/OIDC features of Azure AD evolving! Good job!

I appreciate that it is easy to configure - which is important for 99% of admins. Nevertheless hope to see more sophisticated claim configuration capabilites using script/config like we have in ADFS.

BTW: Is there a uservoice for similar feature requests (e.g. custom issuer ID, ...)? Can you please point me towards.

 

0 Likes
Like
Jussi Palo
Iron Contributor
‎Apr 25 2019 02:33 AM
‎Apr 25 2019 02:33 AM

Micki: In that scenario you need to make additional query to get the groups via MS Graph as described here.

0 Likes
Like
Tony Roth
Brass Contributor
‎Apr 25 2019 07:30 AM
‎Apr 25 2019 07:30 AM

@Deleted  I have the same question Micki has, doesn't the rp have to support this?

0 Likes
Like
rack88
Copper Contributor
‎Nov 05 2019 11:46 AM
‎Nov 05 2019 11:46 AM

@paulgarn& @Deleted Any updates on when the ability to select specific groups to provide to the application will be available? Like other commenters, we're having issues with customers who have a ton of groups assigned to individual users and it is exceeding the 150/200 group limits.

0 Likes
Like
Version history
Last update:
‎Aug 19 2021 04:21 PM
Updated by: