Microsoft Entra Suite Tech Accelerator
Aug 14 2024, 07:00 AM - 09:30 AM (PDT)
Microsoft Tech Community

Azure AD SAML - Is it possible to apply filtering on group claims?

Copper Contributor



I know it's possible to send security group names in SAML response using the group claim in Azure AD.


But is it possible to filter groups based on some criteria? Suppose there's a requirement to send only those groups in SAML response that contain "Office365", can that be accomplished using RegEx, AAD PowerShell or Graph API?


Thanks in advance.

6 Replies
Yes, there are a few advanced options described in this support article for reducing the number of groups emitted

@Joe Stocker 

I came here looking for an answer to the same question, and I'm not following your suggestion.  I don't see any way to filter the group membership.  The documentation provides three "advanced" options:

  1. Customize the groups claim name
  2. Provide a namespace url
  3. Send the groups as a role 


I don't see anything about filtering...  can you elaborate?

Hello Joe
I have a similar question:
Is it possible to apply filtering on group claims using Regex in Azure AD for SAML app?
As far as I know, regex option in Azure AD for Groups is not there at the moment. Could you please confirm.



In the Azure AD Application "Users and Groups" you can require a group named O365_Users.

Then in the Group Claims, you can select the option to only send the groups that are associated with the application. 

So the filtering is basically done by adding the groups to the application, then only those groups would be sent.  Make sense?


@Joe Stocker 

Since you gave the options "Groups Assigned to the Application", I have one more question for you. If you can plz help.

After I select "Groups Assigned to the Application", I want to assign about 4500 groups to the app. I have thousands of users using the app however no users group membership will go past 100. My question is :

How can we bulk assign Groups to my App ? Portal does not give the option.


@Joe Stocker
the app does use app role for any authorization.
I thought of using the command: New-AzureADUserAppRoleAssignment