0
votes

Is there an option to include the AAD group name (display name) instead of the Object Id in the JWT token issued by AAD? If yes - how?

  …
  "family_name": "Smith",
  "given_name": "John",
  "groups": [
    "0e1cbc5f-94bc-4c3b-a22b-a4c56bbdbd7d", // <- replace id with name
    "9762d7ea-c0a9-4543-8a3e-2459e826a35a"
  ],
  …

Some background: I’m implementing OAuth with AAD for an API. I configured 2 Service Principals (1 for API, 1 for client) and added delegated & application permissions. I also configured optional group claims to receive the list of groups. It all seems to work and I’m getting JWT tokens with group IDs in 2 scenarios: authorization code & client credentials.

In the API implementation I need to filter data basing on the AAD group membership. Example: I have an AAD group “Company1Users” and would like to apply filter: “where company=Company1”. With groupId I need to maintain additional mapping in my app (AADGroupId=Company1) or make an additional call to graph API, which I would like to avoid.

1

1 Answers

0
votes

Include AAD group name in the JWT token

In short, you cannot get them in tokens.

As you noticed, you only get the ids. Usually this is good, since the id cannot be changed, unlike the name which can change.

Also, group and role claims may be emitted containing the domain qualified sAMAccountName rather than the group's Azure Active Directory objectID. However, sAMAccountName is only available on Group objects synced from Active Directory. They aren't available on groups created in Azure Active Directory or Office365.

If you want to do authorization based on groups, you can set the ids in a configuration file and then check with the id. If you want the names for some other purpose, you'll need query the groups from Microsoft Graph API. You can find the API documentation here.