Forum Discussion
Azure AD Stopped returning group claims
Has anyone had odd AzureAD issues recently? A web app at one of my clients began to fail yesterday (about 9:30AM EST) and we determined that the token coming back from authentication was no longer including group claims. So users could authenticate, but were no longer getting access to any protected features. I pointed the code at two different Azure AD instances (3 in total each in their own tenant & subscription) - two experienced the issue, one did not. None of the 3 had undergone any configuration changes lately. Then about 4:00 yesterday one of the 2 broken environments mysteriously corrected itself. So I currently have 2 working AzureAD instances, and one broken instance. Within the broken instance, I've created a new app registration and even granted full permissions, neither change affected the behavior there. I'm looking for the root cause, and I'd like to rule out the prospect of some deprecated feature being used in the app that is going to blow up again at some point.
Update: I found the root cause. Tracing through the timeline here's what I found.
The two broken environments had a new Reply Url added. You wouldn't think that would affect anything, but it does - in the manifest, it resets groupMembershipClaims from All back to null. For the record, generating a new key also sets this value back to null.
The other gotcha is that once you have this setting changed back to All, you need to sign in again to get the new token values. That means completely closing the browser or waiting for the token to expire. I'm pretty sure we corrected the issue a few times, but didn't force a reauthentication.
Hopefully this helps somebody else.
Update: I found the root cause. Tracing through the timeline here's what I found.
The two broken environments had a new Reply Url added. You wouldn't think that would affect anything, but it does - in the manifest, it resets groupMembershipClaims from All back to null. For the record, generating a new key also sets this value back to null.
The other gotcha is that once you have this setting changed back to All, you need to sign in again to get the new token values. That means completely closing the browser or waiting for the token to expire. I'm pretty sure we corrected the issue a few times, but didn't force a reauthentication.
Hopefully this helps somebody else.
Sounds like a change they made on AAD side. But I haven't seen any announcements around this. Oh well, the joys of using the cloud. Open a support case to get an "official" answer.
