Get user membership groups in the claims with AD B2C
As it's possible in the standard AD by changing the API application manifest option "groupMembershipClaims" to "SecurityGroup", is it possible to return user membership group in the claims with AD B2C?
Now, we can have only the default and custom attributes by adding a signin policy, but it's impossible to get user membership groups.
We definitely recognize the popularity of this feature, and we discuss it constantly during the planning phases. However there are certain technical limitations in the system that add a large amount of development cost. Because of the cost and the fact that there is a workaround available, other features get prioritized over this one.
That being said, please keep voting for it. The popularity of the feature does help bring it up and makes us reconsider every time.
Apologies for the delay.
We’re doing some research both on the specifics of this ask as well as what it would take to support this.
Is the ask here to do the same thing that regular Azure AD does (see: https://blogs.technet.microsoft.com/enterprisemobility/2014/12/18/azure-active-directory-now-with-group-claims-and-application-roles/) or is are there different requirements around this for Azure AD B2C?
Jens Spaniel commented
You can already add the assigned groups via custom claims.
Here you find a tutorial:
Pär Sandgren commented
5y and counting. The data is there, just fix it.
Jose Manuel commented
Please, reconsider this position and implement this popular functionality
how can this not be fixed yet?
YALAVARTHI Hrushikesh commented
If you include this feature, definitely it would have been a valuable feature. Am requesting Microsoft,please implement to ability to configure B2C to add group id's as claims in B2C JWT
Thank you, now it’s really very convenient.
Zach Tanksley commented
The workaround at the link below is nice and easy to implement, but it has cost me days of development time that would not have been necessary if this was a feature.
No point having B2C at all unless you're going to add features that enables a deployment in the real world! I spent the last 5 days of my precious time researching for a ready to go solution, only to find that B2C and Microsoft has once again let us all down.
Alfie Wallace commented
Dear Azure AD Team,
Can you give an update on the status of this? It's been over 2 years since the last one.
The current workaround require maintaining an API to make Graph queries, which in turn requires A) securing the API and testing that it isn't vulnerable to attack, B) maintaining the policy which communicates with the API, and C) managing the secrets used to connect to the application inside our tenant for these queries.
The reason we want to use B2C is to avoid such tasks. It would be great to know whether we can expect this soon, and if not why it isn't being treated as a priority since there is clearly a demand.
Joseph Bailey commented
Please reconsider adding this functionality. It's been 4 1/2 years since this request was opened and there is CLEARLY still a demand for this. How many votes do you need to make this a reality? And what workaround? I've been ******* my head against the wall for weeks trying to hack a workaround using Graph, but it's still an unnecessary thing to have to do when regular old AD supports this out of the box.
Mark Duff commented
How is this even a disconnect? Every MS Evangelist recommends, nay, insists, nay admonishes us if we don’t base authorization on AD Groups rather than Users. But B2C AD User’s Groups are hidden from simple Claims? MS says, “oh, it’s too much work”. Not for your competitors. You want their slice of the pie? After years of waiting for this, it seems not. Our inability to recapture in Claims transitions from B2C casual visitors (Group) to prospects (Group) to customers (Group) to heightened elevations w/o our own mechanisms renders B2C AD Grouping moot and negates all the other relevant MS preaching. Really MS? We who work quietly ARE your true evangelists. But this is a sad sacrifice of a tree that makes the forest.
I find it a total waste if i can assign groups to my users but cannot return those groups as claims, this would've allowed me to build a more generic, robust system. The only best way i though of in my scenario is assigning the groups as Products in API Management and then publishing it as API's depending on what group you belong. If anyone has any other ideas.
But like really i can only include what the Application wants and not what i want from Microsoft.Graph
Gloria Gallego commented
You can add an API call on the IEF Custom Policy to be able to pass the Groups and Roles as a Claims.
John Del Forno commented
Sorry @parakh, this isn't a work around.
I don't want admins of the B2C directory to need to have access to the parent directory to administer groups.
Nor can I allow them to have Graph API Access to the parent directory, as the current permissions grant access to all groups, not predefined or prefixed groups.
Matt Whited commented
WTF Microsoft. We want to use your tech stack but this is making it very difficult to stick around. If we have to be in pain anyway we might as well go somewhere else where it hurts less.
Still Under Review for 2 years????????
Ahmed Khalifa commented
@Nolan, would you buy a car that does not have a steering wheel but has a 'workaround'? what confidence would you have in the quality of the rest of said car?
I am sorry if that was blunt, but this is the state of the world, people bad-mouth Cognito but when it comes to usability, it is 100 times easier and faster to adapt, above all, the builders realize who their users are!
I can't believe this is even a conversation? never mind that it is running for 2 years!
I have been a Dev advocate for a long time, and this is the first time I am building a sample for a startup with Azure, I really wanted this to work, but this absolutely breaks my confidence in the rest of the experience!
Pascal van der Horst commented
Lucas Vogel commented
Hi all - just wanted to throw out there that I created a console application for adding test users to Azure AD B2C instances. You can find the code at https://github.com/elvogel/b2c. You create a b2c.json (through the command line or manually) with AppId, Tenant and Secret settings, and use the command line to create test users.
I thought I'd throw it out there from here in case anyone finds it helpful.
Mats Alm commented
We are evaluating a CIAM solution for my customer, the process involves implementing a few basic features on the free tier of each option. Configuring and consuming group claims via OICD is one of them. In this case it should work with both asp.net core and nodejs apps.
Considering how easy this is solved with the other alternatives, the lack of this feature is most likely something that will make us pick another solution.