Extend azure active directory access token claims

1
votes

I'm currently trying to authorize my api depending on the user group. After enabling the group claim in Azure Active Directory I have realized that the groups claim is not including in the access_token but the id_token.

I'm trying to avoid makings requests to the graph api and I've seen something about azure active directory claims mapping (https://docs.microsoft.com/en-us/azure/active-directory/active-directory-claims-mapping)

But due to the lack of information and examples I'm not sure of how to deal with this.

Any suggestions on how to get the extra claims into the access token?

2
azureauthorizationazure-active-directoryaccess-token
So you have an API, and the access token it gets does not contain the group ids?juunas
Exactly, azure active directory provides the groups id only in the id_tokenAdrian Abreu

2 Answers

2
votes

You can get group ids in access tokens too.

But the API app manifest must have:

{
  "groupMembershipClaims": "SecurityGroup"
}

Note that this must be in the APIs manifest, not the client app's manifest.

0
votes

In AAD, when you create an SSO application, you can create custom claims where you can customize the SAML response from AAD to the target application.

See this for more information.