Use group claims in for easy authorization in Azure Active Directory

Azure Active Directory application manifest by default do not populate claims pertaining to user group membership to save on network traffic and possible group bloat. In a lot of cases it’s not a major concern for well managed Azure Active Directory environment.

Enabling groupClaims along with other claims greatly simplify Authorization which otherwise would require use of Microsoft graph for user authorization.

Example below is showing how to enable group claims in Azure Active Directory enabled application on example of Azure Function but can also be used for any other type of application.

To start create Azure function app


Navigate to newly created function and choose “Authentication/Authorization” link.


Enable App Service Authentication and choose Azure AD and settings below.


Add new Function by pressing + sign choose “Custom Function” link


Choose “HTTP Trigger – C#” type, name your function and choose Authorization level of “Function”


Paste following code into function

using System.Net;
using System.Net.Http;
using System.Security.Claims;
using System.Threading.Tasks;
public static async Task<HttpResponseMessage> Run(HttpRequestMessage req, TraceWriter log)
log.Info("C# HTTP trigger function processed a request.");
return req.CreateResponse(HttpStatusCode.OK, ((ClaimsIdentity)ClaimsPrincipal.Current.Identity).Claims.Where(c=>c.Type == "groups").Select(v=>v.Value));

view raw
hosted with ❤ by GitHub

Click on “Get Function URL” and paste resulting URL in new browser window with no cookies etc (Incognito mode in Chrome)


Login with your AD account and resulting page will contain no group information since default claim set does not include group memberships.chrome_2017-10-12_13-24-44

Navigate to your Azure Active Directory/Application Registration pane and choose your application


Click on “Manifest” on top verify that your groupMembershipClaim​ is set to default null


Click “edit” and change it to one of 2 values: SecurityGroup or All

First one returns only security groups while setting of All returns both security groups as well Distribution Lists. (

Save the file and navigate in new incognito window to function URL and authenticate again. This time you shall be able to see GroupSIDs populated.


You can find SID to actual group mapping inside your Azure Active Directory.


This setup allows you to perform Role based authorization without resorting to complicated steps of calling Graph API etc.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s