SOLVED
Home

Azure AD Stopped returning group claims

Ryan Miller
New Contributor

Has anyone had odd AzureAD issues recently? A web app at one of my clients began to fail yesterday (about 9:30AM EST) and we determined that the token coming back from authentication was no longer including group claims. So users could authenticate, but were no longer getting access to any protected features. I pointed the code at two different Azure AD instances (3 in total each in their own tenant & subscription) - two experienced the issue, one did not. None of the 3 had undergone any configuration changes lately. Then about 4:00 yesterday one of the 2 broken environments mysteriously corrected itself. So I currently have 2 working AzureAD instances, and one broken instance. Within the broken instance, I've created a new app registration and even granted full permissions, neither change affected the behavior there. I'm looking for the root cause, and I'd like to rule out the prospect of some deprecated feature being used in the app that is going to blow up again at some point.

2 Replies

Sounds like a change they made on AAD side. But I haven't seen any announcements around this. Oh well, the joys of using the cloud. Open a support case to get an "official" answer.

Solution

Update: I found the root cause. Tracing through the timeline here's what I found. 

 

The two broken environments had a new Reply Url added. You wouldn't think that would affect anything, but it does - in the manifest, it resets groupMembershipClaims from All back to null. For the record, generating a new key also sets this value back to null. 

 

The other gotcha is that once you have this setting changed back to All, you need to sign in again to get the new token values. That means completely closing the browser or waiting for the token to expire. I'm pretty sure we corrected the issue a few times, but didn't force a reauthentication. 

 

Hopefully this helps somebody else.

Related Conversations
Calendar not available for older AD accounts
_jancis in Microsoft Teams on
0 Replies
Teams Owner (and member) unable to join team
Richard Davies in Microsoft Teams on
4 Replies
Org-Wide Organisational Group calendar
Christophe Humbert in Microsoft Teams on
6 Replies
Azure Files with adfs
Stephane KLOIS in Azure on
0 Replies
What is a native non-object synchronised Azure AD instance?
Pn1995 in Azure on
0 Replies