I have an application with multiple departmental levels. A user is a member of an AD group which represents a department. This group is then a member of another group representing a parent department, and so on through a number of levels.
I need to know this entire chain of transitive group memberships, but I also need to know which group the user is a direct (intransitive) member of.
Using the groupMembershipClaims property of the json manifest (as described in detail here) I get group claims on my authenticated ClaimsPrincipal without an additional call to the Graph API:
http://schemas.microsoft.com/ws/2008/06/identity/claims/groups : {guid-a}
http://schemas.microsoft.com/ws/2008/06/identity/claims/groups : {guid-b}
...
So far, in all our tests, the first group {guid-a} is always the intrasitive one that my user is a direct member of, and subsequent groups are always in ascending order.
My question: is this order reliable? And if not, is there any other way without making a call to the Graph API that I can identify which group among many my user is a direct member of?
