How can we improve Azure Active Directory?

← Azure Active Directory

Get user membership groups in the claims with AD B2C

As it's possible in the standard AD by changing the API application manifest option "groupMembershipClaims" to "SecurityGroup", is it possible to return user membership group in the claims with AD B2C?

Now, we can have only the default and custom attributes by adding a signin policy, but it's impossible to get user membership groups.

927 votes
Sign in
(thinking…)
Password icon
Signed in as (Sign out)
Close
Close

We’ll send you updates on this idea

Alexandre Blecich shared this idea  ·   ·  Flag idea as inappropriate…  ·  Admin →
under review  ·  AdminAzure AD Team (Product Owner, Microsoft Azure) responded  · 

We definitely recognize the popularity of this feature, and we discuss it constantly during the planning phases. However there are certain technical limitations in the system that add a large amount of development cost. Because of the cost and the fact that there is a workaround available, other features get prioritized over this one.

That being said, please keep voting for it. The popularity of the feature does help bring it up and makes us reconsider every time.

Apologies for the delay.

/Parakh

Old message:
We’re doing some research both on the specifics of this ask as well as what it would take to support this.
Is the ask here to do the same thing that regular Azure AD does (see: https://blogs.technet.microsoft.com/enterprisemobility/2014/12/18/azure-active-directory-now-with-group-claims-and-application-roles/) or is are there different requirements around this for Azure AD B2C?

Show previous admin responses (2)

57 comments

Sign in
(thinking…)
Password icon
Signed in as (Sign out)
Close
Close
Submitting...
  • Anonymous commented  ·   ·  Flag as inappropriate

    What is this "workaround" that you refer to? This seems like such basic "minimum viable product" functionality... you must really have a mess of legacy code on your hands here. I'll continue to use AWS Cognito, Okta, Auth0 and other more mature solutions, and recommend that my customers and colleagues do the same... Microsoft probably doesn't really care that we use other solutions anyway, as is evident from the age and popularity of this request.

  • Don Airey commented  ·   ·  Flag as inappropriate

    Microsoft: Because of the cost and the fact that there is a workaround available, other features get prioritized over this one.

    Translation: Please evaluate Okta as we currently are not employing anyone competent enough to build this feature into our product.

  • Adam Tibi commented  ·   ·  Flag as inappropriate

    This is so important that I am having to abandon using AD B2C if this is not implemented and the workarounds seem like hacks rather than a proper solution.
    This has been under review for long time, is there an estimate of when this would be done (or not)?

  • Kyle Pope commented  ·   ·  Flag as inappropriate

    It really is a shame that this isn't supported.

    Since it's unlikely to be implemented, it might be really useful and much less effort to embrace this limitation and provide an official Microsoft solution that is external to changing the B2C product. I'm thinking something similar to the Git repo Marcel Juhnke provided in a previous comment but more refined, including:
    * Implementation of user group retrieval as an Azure function with proper error handling and necessary authentication implemented.
    * Detailed documentation on the Microsoft B2C documentation portal about how to configure/install and integrate a custom policy with it.

    If this solution existed and it was relatively easy to implement it might go a long way to address this issue.

  • Jerry Dixon commented  ·   ·  Flag as inappropriate

    Three years and still no answer? Should I drop this and evaluate competitors? This is a basic requirement and my management team was shocked that it is not available.

  • Marcel Juhnke commented  ·   ·  Flag as inappropriate

    While this is still not available natively, you can get around this with a custom policy and using RESTful API integration. You will need a service that is called by the User Journey which in turn queries the actual Azure AD behind the B2C tenant for the user's group memberships.

    If anyone is interested, we have written a small service to do exactly that as we faced the same issue:

    https://github.com/karrieretutor/b2c-group-membership

  • Ayoub commented  ·   ·  Flag as inappropriate

    +1,
    Please include this feature, I can't believe it's not included by default

  • Anonymous commented  ·   ·  Flag as inappropriate

    I can't believe that this isn't in by default. It makes me not trust what I think I know about this stuff.

  • Don Airey commented  ·   ·  Flag as inappropriate

    How is using the Graph API a solution? You need to burn administrator privs and a secret into the application in order to query the API. This is a HUGE security leak and simply an unworkable solution. Your answer at the moment appears to be "Claims Based Authentication just doesn't work for B2C" which is unworkable for us.

  • Mike DePouw commented  ·   ·  Flag as inappropriate

    @Mark - that's a great question. I would recommend a stack overflow question with the 'azure-ad-b2c' tag.

← Previous 1 3

Azure Active Directory: B2C

Feedback and Knowledge Base

(thinking…)
Hosted by UserVoice