Update: Microsoft will be moving away from UserVoice sites on a product-by-product basis throughout the 2021 calendar year. We will leverage 1st party solutions for customer feedback. Learn more here.

How can we improve Azure Active Directory?

← Azure Active Directory

Get user membership groups in the claims with AD B2C

As it's possible in the standard AD by changing the API application manifest option "groupMembershipClaims" to "SecurityGroup", is it possible to return user membership group in the claims with AD B2C?

Now, we can have only the default and custom attributes by adding a signin policy, but it's impossible to get user membership groups.

1,719 votes

We're glad you're here

Please sign in to leave feedback
Signed in as (Sign out)
Close
Close

We’ll send you updates on this idea

Alexandre Blecich shared this idea  ·   ·  Flag idea as inappropriate…  ·  Admin →

102 comments

We're glad you're here

Please sign in to leave feedback
Signed in as (Sign out)
Close
Close
Submitting...
An error occurred while saving the comment
  • Thai Bui commented  ·   ·  Flag as inappropriate

    The Custom Policy solution recommended by Azure AD Team only works with local accounts but not with social login or other trust claims provider correct?

  • Denis Ouspenski commented  ·   ·  Flag as inappropriate

    May I suggest that someone at MSFT adds the completed sample as a turn-key solution to the linked GitHub repository?

    If it can be done, and so many people are asking for it, having a sample and a piece of documentation detailing the use and implementation would go a long way for everyone in this thread.

    It would be even better if that sample was documented and linked through the docs.microsoft.com site.

  • Joe Smith commented  ·   ·  Flag as inappropriate

    An explanation of the difficulty here.

    Azure B2C consists of a cut-down AzureAD tenant with the Identity Experience Framework (IEF) layered on top. When you authenticate against B2C you are really authenticating against an IEF flow, not the Azure AD directly. For local accounts, the default flows authenticate directly against the underlying Azure AD tenant.

    It does not get back groups. In order to enable this, the Identity Experience Framework application would need the the groupMembershipClaims change. That would get the groups into the Identity Experience Framework, but even then the default flows are probably not set up to forward such claims along. In any case, changing the groupMembershipClaims attribute is non-trivial, because the built-in flows use an application registered in the cpimcore.onmicrosoft.com tenant.

    If you use custom policy you don't use the shared application registration so it is most likely possible to apply the groupMembershipClaims to your manually created Application representing Identity Experience Framework, and then configuring things such that this claim gets exposed.

    But the above would only work for non-social logins. To make social logins work, there is no way to use the underlying AzureAD support for creating group claims. Instead the profile read step would need to read the groups. But I'm guessing the AzureActiveDirectoryProvider does not support fetching groups. Indeed, getting a user's groups is an extra API call on the Graph API that ideally should only occur if needed.

    There does not seem to be any easy way to allow the AzureActiveDirectoryProvider to know if the group claims will be needed for the app being processed. It would be easy enough to allow a global switch that if enabled always fetched groups for any application being signed in, even ones that don't need it. But that is likely too inefficient for Microsoft to be satisfied with.

    Basically this actually is complicated. If it were easy it would already have been implemented. And the above are what I am able to deduce are complications as an outsider. There could be even more roadblocks that are only visible to insiders.

  • Sam J. commented  ·   ·  Flag as inappropriate

    I'm just baffled at how many hoops I need to jump through to obtain something that I strongly feel should be out-of-the-box functionality. I've been working on this for a few days now and it is simply not what I expected from an industry leader. Please streamline this process.

  • Mark Duff commented  ·   ·  Flag as inappropriate

    None of the workarounds I've wasted time on work in .NET Core 5.0, so can this be a priority again now? Or where is the link to a working example w/ complete source code?

    This couldn't be a more fundamental need.

  • bob commented  ·   ·  Flag as inappropriate

    2021 !!!
    6 years and going for a must have option so that b2c can be used in a real-world application without redeveloping APIs and securing them, is MS intentionally do not want to implement this???

  • Howard Richards commented  ·   ·  Flag as inappropriate

    So this **basic feature** of any security system is STILL missing from B2C after five years? Glad I only wasted a few days testing out Azure B2C. Without groups/roles this is an absolute joke. Why would anyone use it?

  • Anonymous commented  ·   ·  Flag as inappropriate

    It is the same as what Azure AD does but in B2C.

    Currently in B2C you can add user attributes, which get added as claims to the user in AAD B2C.
    We would also like group membership claims to be populated.

  • Anonymous commented  ·   ·  Flag as inappropriate

    As others stated I also feel like the workaround here is awful and don't quite understand how this has not been fixed yet. I cannot see how this would be so expensive to implement, the data is there.

  • channa commented  ·   ·  Flag as inappropriate

    Why is there no update on this feature, the work around is ugly to say the least.

← Previous 1 3 4 5 6

Azure Active Directory: B2C

Categories

Feedback and Knowledge Base

(thinking…)
Hosted by UserVoice