Get user membership groups in the claims with AD B2C
As it's possible in the standard AD by changing the API application manifest option "groupMembershipClaims" to "SecurityGroup", is it possible to return user membership group in the claims with AD B2C?
Now, we can have only the default and custom attributes by adding a signin policy, but it's impossible to get user membership groups.
We definitely recognize the popularity of this feature, and we discuss it constantly during the planning phases. However there are certain technical limitations in the system that add a large amount of development cost. Because of the cost and the fact that there is a workaround available, other features get prioritized over this one.
That being said, please keep voting for it. The popularity of the feature does help bring it up and makes us reconsider every time.
Apologies for the delay.
We’re doing some research both on the specifics of this ask as well as what it would take to support this.
Is the ask here to do the same thing that regular Azure AD does (see: https://blogs.technet.microsoft.com/enterprisemobility/2014/12/18/azure-active-directory-now-with-group-claims-and-application-roles/) or is are there different requirements around this for Azure AD B2C?
Still Under Review for 2 years????????
Ahmed Khalifa commented
@Nolan, would you buy a car that does not have a steering wheel but has a 'workaround'? what confidence would you have in the quality of the rest of said car?
I am sorry if that was blunt, but this is the state of the world, people bad-mouth Cognito but when it comes to usability, it is 100 times easier and faster to adapt, above all, the builders realize who their users are!
I can't believe this is even a conversation? never mind that it is running for 2 years!
I have been a Dev advocate for a long time, and this is the first time I am building a sample for a startup with Azure, I really wanted this to work, but this absolutely breaks my confidence in the rest of the experience!
Nolan Miracle commented
Folks there is a workaround for this using custom policies. Please see below from my comment(s) back in 2017:
To elaborate on my previous comment - the RestAPI call is made via the custom policy (to query AAD) and can be used to build the claims onto the token. The call is not made via the application. I do agree that this is more work than what should need to be done, but it is possible to accomplish. Hope this helps!
Pascal van der Horst commented
Lucas Vogel commented
Hi all - just wanted to throw out there that I created a console application for adding test users to Azure AD B2C instances. You can find the code at https://github.com/elvogel/b2c. You create a b2c.json (through the command line or manually) with AppId, Tenant and Secret settings, and use the command line to create test users.
I thought I'd throw it out there from here in case anyone finds it helpful.
Mats Alm commented
We are evaluating a CIAM solution for my customer, the process involves implementing a few basic features on the free tier of each option. Configuring and consuming group claims via OICD is one of them. In this case it should work with both asp.net core and nodejs apps.
Considering how easy this is solved with the other alternatives, the lack of this feature is most likely something that will make us pick another solution.
Kyle Pope commented
Thanks Lucas Vogel and ricky zou for the example solutions. While I like both solutions, I think the ideal solution is something like ricky's since it returns the groups as part of the token and doesn't put the responsibility to go look them up in each app that uses B2C. That said, it has increased complexity since you'll need to (1) use a custom policy and (2) manage/configure the extra Azure function that must be deployed... I still think it would be a big win if Microsoft would provide an officially documented workaround that does this and makes it easy for people to implement this feature on their own...
Lucas Vogel commented
I created a sample project that uses an IAuthorizationService implementation to check users against groups in the AD back end using the Graph API. Check it out: https://github.com/endpointsystems/Azure.B2C.Demos.GroupAuthorization
Brief writeup about it here: https://endpointsystems.com/blog/azure-ad-b2c-group-authorization
ricky zou commented
A MS consultant provided link to this workaround (http://mrochon.azurewebsites.net/2019/05/06/using-groups-in-azure-ad-b2c/) , and it's UGLY! B2C for us provides abstraction layer for handling other Idps in order to reduce complexity, this limitation and the complexity in the workaround is making me rethink if B2C is even a good fit for us. not only is the workaround difficult to setup and maintain, it requires an additional AZ Function service.
Can you guys please suggest work around?
One workaround that I can think of is, include an extension attribute and assign group name to this attribute, which can be further included in claim.
Any better solution?
If this is not going to get implemented at least document this and publish the workaround for this. This is a basic requirement and aad b2c is a paid service.
Whats the workaround?
Dumitru Ozunu commented
we need this. which workaround?!
Nick Lennox commented
Just to keep the pressure on, I am now on the third customer site where this feature would have been very valuable. Please implement the ability to configure B2C to add group id’s as claims in the B2C JWT.
Please include this feature
What is this "workaround" that you refer to? This seems like such basic "minimum viable product" functionality... you must really have a mess of legacy code on your hands here. I'll continue to use AWS Cognito, Okta, Auth0 and other more mature solutions, and recommend that my customers and colleagues do the same... Microsoft probably doesn't really care that we use other solutions anyway, as is evident from the age and popularity of this request.
Please add the role feature.
Don Airey commented
Microsoft: Because of the cost and the fact that there is a workaround available, other features get prioritized over this one.
Translation: Please evaluate Okta as we currently are not employing anyone competent enough to build this feature into our product.
Christos Karras commented
You say a workaround is available? Can we please know what the workaround is?
Adam Tibi commented
This is so important that I am having to abandon using AD B2C if this is not implemented and the workarounds seem like hacks rather than a proper solution.
This has been under review for long time, is there an estimate of when this would be done (or not)?