Azure SSO Group claim transformation

Brass Contributor

Hello, I'm in the process of migrating off AD FS to Azure AD and have a vendor with a difficult claim requirement that I hope someone can help me with.


The enterprise application has three groups assigned to it, lets call them GroupA, GroupB and GroupC. Members with access this this application are only ever in one of the three groups. The vendor requires a claim to return a specific value based on group membership as follows.


If the member is in GroupA the claim should return "User"

If the member is in GroupB the claim should return "Admin"

If the member is in GroupC the claim should return "Developer"


I've created a group claim that returns only groups assigned to the application but from there I don't know what the next step is. I believe I customize the name of the group claim then Apply regex replace to groups claim content. AM I on the right track? If so, given the group names and the expected return value can anyone help me work this out?


Thank you for your consideration

1 Reply

In App Registrations, add "app roles" named/valued "User, Admin, Developer".
After that in Entrerprise Applications view assign GroupA to User role, GroupB to Admin etc.