Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community
SOLVED

Azure AD Stopped returning group claims

Copper Contributor

Has anyone had odd AzureAD issues recently? A web app at one of my clients began to fail yesterday (about 9:30AM EST) and we determined that the token coming back from authentication was no longer including group claims. So users could authenticate, but were no longer getting access to any protected features. I pointed the code at two different Azure AD instances (3 in total each in their own tenant & subscription) - two experienced the issue, one did not. None of the 3 had undergone any configuration changes lately. Then about 4:00 yesterday one of the 2 broken environments mysteriously corrected itself. So I currently have 2 working AzureAD instances, and one broken instance. Within the broken instance, I've created a new app registration and even granted full permissions, neither change affected the behavior there. I'm looking for the root cause, and I'd like to rule out the prospect of some deprecated feature being used in the app that is going to blow up again at some point.

2 Replies

Sounds like a change they made on AAD side. But I haven't seen any announcements around this. Oh well, the joys of using the cloud. Open a support case to get an "official" answer.

best response confirmed by VI_Migration (Silver Contributor)
Solution

Update: I found the root cause. Tracing through the timeline here's what I found. 

 

The two broken environments had a new Reply Url added. You wouldn't think that would affect anything, but it does - in the manifest, it resets groupMembershipClaims from All back to null. For the record, generating a new key also sets this value back to null. 

 

The other gotcha is that once you have this setting changed back to All, you need to sign in again to get the new token values. That means completely closing the browser or waiting for the token to expire. I'm pretty sure we corrected the issue a few times, but didn't force a reauthentication. 

 

Hopefully this helps somebody else.

1 best response

Accepted Solutions
best response confirmed by VI_Migration (Silver Contributor)
Solution

Update: I found the root cause. Tracing through the timeline here's what I found. 

 

The two broken environments had a new Reply Url added. You wouldn't think that would affect anything, but it does - in the manifest, it resets groupMembershipClaims from All back to null. For the record, generating a new key also sets this value back to null. 

 

The other gotcha is that once you have this setting changed back to All, you need to sign in again to get the new token values. That means completely closing the browser or waiting for the token to expire. I'm pretty sure we corrected the issue a few times, but didn't force a reauthentication. 

 

Hopefully this helps somebody else.

View solution in original post