Azure AD: How to get group information in token?

6
votes

We have application developed in MEAN stack. We are using adal-angular library for azure ad authentication. As per the documentation and sample

Adal.js uses the OAuth implicit flow to communicate with Azure AD. You must enable the implicit flow for your application.

However when we enable implicit flow, Azure AD DOES NOT include group information in the token. The issue has been discussed here in detail and confirmed by @vibronet

Question
Azure AD functionalities have been changing almost everyday, so are the above answers still valid? Do we still have to enable implicit flow of our application? I want to get group information in token (i dont want to use graph api as a solution.)

another reason i am asking this question because i disabled the implicit flow and user was still able to access the application. However i still don't see group information in the token.

1
adalazure-active-directory
Did you enable group claims in the application manifest? To avoid using GraphAPI, how will you guarantee that your users will never have more groups than the max allowed in a token?Philippe Signoret
Assuming this is also you: social.msdn.microsoft.com/Forums/en-US/…, I see you have. Have you looked at the raw id_token (e.g. with something such as jwt.io)?Philippe Signoret
@PhilippeSignoret Yes thats me. Not sure how jwt.io would help me here if azure never include that information in the token. Also we are using "passport-azure-ad" on server that parse & validates the tokenLP13
In the forum post you proposed that perhaps Azure AD is not returning the groups. Looking at the raw token would allow you to confirm if the it contains the groups (and thus it is the library that is dropping them). It appears you have confirmed that it is not.Philippe Signoret
Yes i verified the JWT token, i have configured groupMembershipClaims" to "SecurityGroup". When i do that i get extra property "hasgroup=true" but not actual group idsLP13

1 Answers

7
votes

Azure AD JWT does emit security groups in implicit flow. In Application Registration manifest, set "groupMembershipClaims": "SecurityGroup",

Then in your server:

var groups = new List<string>();
ClaimsPrincipal.Current.Claims
    .Where(t => t.Type == "groups")
    .ForEach(g => groups.Add(g.Value));

no need for GraphApi

https://docs.microsoft.com/en-us/azure/architecture/multitenant-identity/app-roles https://github.com/Azure-Samples/active-directory-dotnet-webapp-groupclaims