How can we improve Azure Active Directory?

← Azure Active Directory

Get user membership groups in the claims with AD B2C

As it's possible in the standard AD by changing the API application manifest option "groupMembershipClaims" to "SecurityGroup", is it possible to return user membership group in the claims with AD B2C?

Now, we can have only the default and custom attributes by adding a signin policy, but it's impossible to get user membership groups.

1,561 votes
Sign in
(thinking…)
Sign in with: Microsoft
Forgot password?
Create a password
Signed in as (Sign out)
Close
Close

We’ll send you updates on this idea

Alexandre Blecich shared this idea  ·   ·  Flag idea as inappropriate…  ·  Admin →
under review  ·  AdminAzure AD Team (Product Owner, Microsoft Azure) responded  · 

We definitely recognize the popularity of this feature, and we discuss it constantly during the planning phases. However there are certain technical limitations in the system that add a large amount of development cost. Because of the cost and the fact that there is a workaround available, other features get prioritized over this one.

That being said, please keep voting for it. The popularity of the feature does help bring it up and makes us reconsider every time.

Apologies for the delay.

/Parakh

Old message:
We’re doing some research both on the specifics of this ask as well as what it would take to support this.
Is the ask here to do the same thing that regular Azure AD does (see: https://blogs.technet.microsoft.com/enterprisemobility/2014/12/18/azure-active-directory-now-with-group-claims-and-application-roles/) or is are there different requirements around this for Azure AD B2C?

Show previous admin responses (2)

89 comments

Sign in
(thinking…)
Sign in with: Microsoft
Forgot password?
Create a password
Signed in as (Sign out)
Close
Close
Submitting...
An error occurred while saving the comment
  • Anonymous commented  ·   ·  Flag as inappropriate

    As others stated I also feel like the workaround here is awful and don't quite understand how this has not been fixed yet. I cannot see how this would be so expensive to implement, the data is there.

  • channa commented  ·   ·  Flag as inappropriate

    Why is there no update on this feature, the work around is ugly to say the least.

  • YALAVARTHI Hrushikesh commented  ·   ·  Flag as inappropriate

    If you include this feature, definitely it would have been a valuable feature. Am requesting Microsoft,please implement to ability to configure B2C to add group id's as claims in B2C JWT

  • Anonymous commented  ·   ·  Flag as inappropriate

    No point having B2C at all unless you're going to add features that enables a deployment in the real world! I spent the last 5 days of my precious time researching for a ready to go solution, only to find that B2C and Microsoft has once again let us all down.

    So ANGRY!!!!!!

  • Alfie Wallace commented  ·   ·  Flag as inappropriate

    Dear Azure AD Team,

    Can you give an update on the status of this? It's been over 2 years since the last one.

    The current workaround require maintaining an API to make Graph queries, which in turn requires A) securing the API and testing that it isn't vulnerable to attack, B) maintaining the policy which communicates with the API, and C) managing the secrets used to connect to the application inside our tenant for these queries.

    The reason we want to use B2C is to avoid such tasks. It would be great to know whether we can expect this soon, and if not why it isn't being treated as a priority since there is clearly a demand.

  • Joseph Bailey commented  ·   ·  Flag as inappropriate

    Please reconsider adding this functionality. It's been 4 1/2 years since this request was opened and there is CLEARLY still a demand for this. How many votes do you need to make this a reality? And what workaround? I've been ******* my head against the wall for weeks trying to hack a workaround using Graph, but it's still an unnecessary thing to have to do when regular old AD supports this out of the box.

  • Mark Duff commented  ·   ·  Flag as inappropriate

    How is this even a disconnect? Every MS Evangelist recommends, nay, insists, nay admonishes us if we don’t base authorization on AD Groups rather than Users. But B2C AD User’s Groups are hidden from simple Claims? MS says, “oh, it’s too much work”. Not for your competitors. You want their slice of the pie? After years of waiting for this, it seems not. Our inability to recapture in Claims transitions from B2C casual visitors (Group) to prospects (Group) to customers (Group) to heightened elevations w/o our own mechanisms renders B2C AD Grouping moot and negates all the other relevant MS preaching. Really MS? We who work quietly ARE your true evangelists. But this is a sad sacrifice of a tree that makes the forest.

  • Marco-Pieter commented  ·   ·  Flag as inappropriate

    I find it a total waste if i can assign groups to my users but cannot return those groups as claims, this would've allowed me to build a more generic, robust system. The only best way i though of in my scenario is assigning the groups as Products in API Management and then publishing it as API's depending on what group you belong. If anyone has any other ideas.
    But like really i can only include what the Application wants and not what i want from Microsoft.Graph

  • John Del Forno commented  ·   ·  Flag as inappropriate

    Sorry @parakh, this isn't a work around.

    I don't want admins of the B2C directory to need to have access to the parent directory to administer groups.

    Nor can I allow them to have Graph API Access to the parent directory, as the current permissions grant access to all groups, not predefined or prefixed groups.

  • Matt Whited commented  ·   ·  Flag as inappropriate

    WTF Microsoft. We want to use your tech stack but this is making it very difficult to stick around. If we have to be in pain anyway we might as well go somewhere else where it hurts less.

← Previous 1 3 4 5

Azure Active Directory: B2C

Categories

Feedback and Knowledge Base

(thinking…)
Hosted by UserVoice