How to obtain Azure AD Groups from B2C UserJourney?

1
votes

I'm attempting to retrieve an AAD user's group membership when they log in to my B2C application.

What I've done:

  1. Followed the procedures outlined in https://docs.microsoft.com/en-gb/azure/active-directory-b2c/active-directory-b2c-get-started-custom#add-the-application-ids-to-your-custom-policy
  2. Created an application in my Azure AD tenant according to the instructions: https://docs.microsoft.com/en-gb/azure/active-directory-b2c/active-directory-b2c-setup-aad-custom
  3. Modified the manifest of the application to support groups as discussed here -- https://www.red-gate.com/simple-talk/cloud/security-and-compliance/azure-active-directory-part-4-group-claims/
  4. Created an attribute extension_groups in my B2C tenant for storing the groups (I do not know if this is necessary?)

  5. Added a claimtype to TrustFrameworkBase.xml to support groups:

    <ClaimType Id="extension_groups"> <DisplayName>Groups</DisplayName> <DataType>string</DataType> <DefaultPartnerClaimTypes> <Protocol Name="OAuth2" PartnerClaimType="groups" /> <Protocol Name="OpenIdConnect" PartnerClaimType="groups" /> <Protocol Name="SAML2" PartnerClaimType="http://schemas.microsoft.com/ws/2008/06/identity/claims/groups" /> </DefaultPartnerClaimTypes> <UserHelpText /> </ClaimType>

  6. Modified the claims provider in TrustFrameworkExtensions.xml to include the group claim: <OutputClaim ClaimTypeReferenceId="extension_groups" PartnerClaimType="groups"/>

  7. Modified the output claim in the relyingparty section of my sign-in-only policy:

    <OutputClaim ClaimTypeReferenceId="extension_groups"/>

When I sign-in using using an Azure AD account, I get the following error:

Sorry, but we're having trouble signing you in. We track these errors automatically, but if the problem persists feel free to contact us. In the meantime, please try again. Correlation ID: e782c5c8-0e08-481b-b2c1-458b3855af7b Timestamp: 2018-04-25 20:07:27Z AADB2C: An exception has occured.

I'm not even sure where to start -- any tips on exposing the stack trace or hints based on the above config snippets would be amazing.

1
azure-ad-b2c
See Azure Active Directory B2C: Collecting Logs for how to troubleshoot a user journey. Can you confirm where the group memberships are managed? In your Azure AD B2C directory or in another Azure AD directory that is federated with your B2C tenant?Chris Padgett
@ChrisPadgett in another Azure AD directory that is federated with a B2C tenant.Chad_C

1 Answers