Move even more apps to Azure AD: Public preview of group claims!

Published 04-24-2019 09:00 AM 9,042 Views

Howdy folks,


I’m excited to announce the public preview of group claims in SAML and OIDC/OAuth tokens issued by Azure Active Directory (Azure AD). This feature is designed to allow you to move applications from Active Directory Federation Services (AD FS) or another identity provider to Azure AD.


Some applications expect to receive a user’s group membership information as claims in the token. When using groups from Windows Active Directory Domain Services, these claims typically use the group’s sAMAccountName from the on-premises Active Directory or the group’s on-premises group security identifier (SID). These attributes were used to support applications and clients in previous versions of Windows and are still in use today. By configuring Azure AD to emit the same group details in claims as the application previously received, you can move the application to work directly with Azure AD and take advantage of the identity-based security capabilities that Azure AD offers.


As part of this release, group claim configuration is now part of the Enterprise Applications single sign-on (SSO) configuration in the Azure portal for SAML applications. This allows you to easily configure options for the format of these claims and to customize the SAML attribute names for group data.


To configure an application to receive group claims from on-premises groups:


  1. If you want to use on-premises group names or SIDs, be sure you are running the latest version of AD Connect to synchronize Windows Active Directory with Azure AD. Support for synchronizing the on-premises group attributes required for these claims was added in version 1.2.70 (December 2018).
  2. In the Azure portal, signed in with a role capable of managing applications, go to the Azure Active Directory > Enterprise applications blade, and then select the application that you wish to configure for group claims.
  3. Click Single sign-on and then User Attributes and Claims.
  4. Next to Groups returned in token, select the Edit

Public preview of group claims 1.png


Public preview of group claims 2.png


You can specify the groups that will be included in the token, the format that will be used, and you can customize the SAML attribute name for the group claims.


While OIDC/OAuth applications less commonly use this functionality, it’s also available in the application manifest in the Application Registration.


Our documentation for integrating an application that requires group claims with Azure AD covers both SAML and OIDC/OAuth.


Let us know what you think in the comments below. We’re always keen to hear any feedback or suggestions you have.


Best regards,


Alex Simons (@Alex_A_Simons )

Corporate VP of Program Management

Microsoft Identity Division

Occasional Contributor

Wow this is cool,  is there a way to do something like the following with azure ad.  So groups that start with CA_ are passed.


c:[Type == "", Value =~ "(?i)CA_"]
=> issue(claim = c);


The rp was too lazy to fix their code in this case so we had to do this, this is holding us up from moving our last adfs based rp.






@Tony Roth We're working on further enhancements to this, and in particular the ability to scope the set of groups included in the token to those the app is interested in.  We'll likely use direct assignment rather than string matching.  No ETA yet, but watch this space !

Occasional Contributor

Sounds good thanks for the response.

New Contributor

I had the problem with the maximum group limit emitted in the token (150 groups i believe), and then the token consists of a link pointing to MS Graph.

The remote SP can't resolve this link and then the claim fails to work.

How can i mittigate this?
How can i emit more groups in the token?

My workarround to this problem was by creating custom ApplicationRoles inside my custom Enterprise Application, and assigning them to my sync'ed AD groups.



Senior Member

Great to see the SAML/OAuth/OIDC features of Azure AD evolving! Good job!

I appreciate that it is easy to configure - which is important for 99% of admins. Nevertheless hope to see more sophisticated claim configuration capabilites using script/config like we have in ADFS.

BTW: Is there a uservoice for similar feature requests (e.g. custom issuer ID, ...)? Can you please point me towards.



Micki: In that scenario you need to make additional query to get the groups via MS Graph as described here.

Occasional Contributor

@Deleted  I have the same question Micki has, doesn't the rp have to support this?

Occasional Visitor

@paulgarn& @Deleted Any updates on when the ability to select specific groups to provide to the application will be available? Like other commenters, we're having issues with customers who have a ton of groups assigned to individual users and it is exceeding the 150/200 group limits.

Version history
Last update:
‎Jul 27 2020 06:47 PM
Updated by: