I have used Azure App registrations to register my app. In the Manifest, I added appRoles. I then use Azure Enterprise applications to add Users and Groups to the appRoles I created. Do I need to update "groupMembershipClaims": "SecurityGroup" in the Manifest because I add Groups in Enterprise application? Can I use role-based claims for groups in Enterprise Applications?
1 Answers
0
votes
You might be mixing up two completely different concepts here. I'll give some details regarding each one below and then you can decide whether you really need group claims for your application or not.
My guess is that you're interested in roles claim, so you don't need to update your app manifest to include "groupMembershipClaims": "SecurityGroup", but you are the best judge for your application's requirement.
Application Roles
You can define application roles by editing app manifest and adding appRoles. Now you can assign these roles to individual users or even to Azure AD groups.
Assigning Roles to Individual Users
You can assign roles to individual users by going to Enterprise Applications and then using portal UI. It looks like you've already done this for your app. When a user signs in to your application, the incoming access token contains role claims for the user. e.g.
"roles": ["MyAppCustomRole1"]Assigning Roles to Azure AD Groups
You can assign an application role to Azure AD Group (if you have Azure AD Premium). This can be convenient especially when dealing with a large number of users. This way you don't need to assign appRole to individual users but can bulk assign by the virtue of their group membership.
If this is what you're looking to do then you don't need to update your app manifest to include
"groupMembershipClaims": "SecurityGroup"
Sample Code - Authorization in a web app using Azure AD application roles & role claims
Microsoft Docs - Application roles
Group Claims
You can enable group claims to come in as part of the access token for your application by editing your application's manifest (this can be done directly in Azure Portal) and setting "groupMembershipClaims" property to "All" or "SecurityGroup" as needed.
Once application manifest is updated as mentioned, you can get Group Id's as part of claims. Here's a quick sample for a decoded JWT token. Notice that this is a completely different claim as compared to the roles claim explained earlier.
Sample Code - Authorization in a web app using Azure AD groups & group claims
Groups v/s Roles
Do understand that Azure AD Groups and their membership is completely separate from any single application.
Lifetime of an Azure AD Group may also be different, i.e. a group may continue to exist long after an application is removed or no longer needed.
Application Roles on the other hand are very closely related to one specific application.
For some applications the authorization strategy is to check for user's group membership instead of Application specific role. I have also seen cases where applications make authorization decisions based on a combination of app specific role and the groups that a user belongs to.
On a side note, to ensure that the token size doesn't exceed HTTP header size limits, Azure AD limits the number of objectIds that it includes in the groups claim. If a user is member of more groups than the overage limit (150 for SAML tokens, 200 for JWT tokens), then Azure AD does not emit the groups claim in the token. Instead, it includes an overage claim in the token that indicates to the application to query the Graph API to retrieve the user's group membership.
Other related SO Posts:
