Azure Active Directory application manifest by default do not populate claims pertaining to user group membership to save on network traffic and possible group bloat. In a lot of cases it’s not a major concern for well managed Azure Active Directory environment.
Enabling groupClaims along with other claims greatly simplify Authorization which otherwise would require use of Microsoft graph for user authorization.
Example below is showing how to enable group claims in Azure Active Directory enabled application on example of Azure Function but can also be used for any other type of application.
To start create Azure function app
Navigate to newly created function and choose “Authentication/Authorization” link.
Enable App Service Authentication and choose Azure AD and settings below.
Add new Function by pressing + sign choose “Custom Function” link
Choose “HTTP Trigger – C#” type, name your function and choose Authorization level of “Function”
Paste following code into function
|public static async Task<HttpResponseMessage> Run(HttpRequestMessage req, TraceWriter log)|
|log.Info("C# HTTP trigger function processed a request.");|
|return req.CreateResponse(HttpStatusCode.OK, ((ClaimsIdentity)ClaimsPrincipal.Current.Identity).Claims.Where(c=>c.Type == "groups").Select(v=>v.Value));|
Click on “Get Function URL” and paste resulting URL in new browser window with no cookies etc (Incognito mode in Chrome)
Login with your AD account and resulting page will contain no group information since default claim set does not include group memberships.
Navigate to your Azure Active Directory/Application Registration pane and choose your application
Click on “Manifest” on top verify that your
groupMembershipClaim is set to default
Click “edit” and change it to one of 2 values:
First one returns only security groups while setting of
All returns both security groups as well Distribution Lists. (http://www.dushyantgill.com/blog/2014/12/10/authorization-cloud-applications-using-ad-groups/)
Save the file and navigate in new incognito window to function URL and authenticate again. This time you shall be able to see GroupSIDs populated.
You can find SID to actual group mapping inside your Azure Active Directory.
This setup allows you to perform Role based authorization without resorting to complicated steps of calling Graph API etc.