How can we improve Azure Active Directory?

← Azure Active Directory

Get user membership groups in the claims with AD B2C

As it's possible in the standard AD by changing the API application manifest option "groupMembershipClaims" to "SecurityGroup", is it possible to return user membership group in the claims with AD B2C?

Now, we can have only the default and custom attributes by adding a signin policy, but it's impossible to get user membership groups.

1,716 votes

We're glad you're here

Please sign in to leave feedback
Signed in as (Sign out)
Close
Close

We’ll send you updates on this idea

Alexandre Blecich shared this idea  ·   ·  Flag idea as inappropriate…  ·  Admin →
under review  ·  AdminAzure AD Team (Product Owner, Microsoft Azure) responded  · 

We definitely recognize the popularity of this feature, and we discuss it constantly during the planning phases. However there are certain technical limitations in the system that add a large amount of development cost. Because of the cost and the fact that there is a workaround available, other features get prioritized over this one.

That being said, please keep voting for it. The popularity of the feature does help bring it up and makes us reconsider every time.

Apologies for the delay.

/Parakh

Old message:
We’re doing some research both on the specifics of this ask as well as what it would take to support this.
Is the ask here to do the same thing that regular Azure AD does (see: https://blogs.technet.microsoft.com/enterprisemobility/2014/12/18/azure-active-directory-now-with-group-claims-and-application-roles/) or is are there different requirements around this for Azure AD B2C?

Show previous admin responses (2)

97 comments

We're glad you're here

Please sign in to leave feedback
Signed in as (Sign out)
Close
Close
Submitting...
An error occurred while saving the comment
  • Joe Smith commented  ·   ·  Flag as inappropriate

    An explanation of the difficulty here.

    Azure B2C consists of a cut-down AzureAD tenant with the Identity Experience Framework (IEF) layered on top. When you authenticate against B2C you are really authenticating against an IEF flow, not the Azure AD directly. For local accounts, the default flows authenticate directly against the underlying Azure AD tenant.

    It does not get back groups. In order to enable this, the Identity Experience Framework application would need the the groupMembershipClaims change. That would get the groups into the Identity Experience Framework, but even then the default flows are probably not set up to forward such claims along. In any case, changing the groupMembershipClaims attribute is non-trivial, because the built-in flows use an application registered in the cpimcore.onmicrosoft.com tenant.

    If you use custom policy you don't use the shared application registration so it is most likely possible to apply the groupMembershipClaims to your manually created Application representing Identity Experience Framework, and then configuring things such that this claim gets exposed.

    But the above would only work for non-social logins. To make social logins work, there is no way to use the underlying AzureAD support for creating group claims. Instead the profile read step would need to read the groups. But I'm guessing the AzureActiveDirectoryProvider does not support fetching groups. Indeed, getting a user's groups is an extra API call on the Graph API that ideally should only occur if needed.

    There does not seem to be any easy way to allow the AzureActiveDirectoryProvider to know if the group claims will be needed for the app being processed. It would be easy enough to allow a global switch that if enabled always fetched groups for any application being signed in, even ones that don't need it. But that is likely too inefficient for Microsoft to be satisfied with.

    Basically this actually is complicated. If it were easy it would already have been implemented. And the above are what I am able to deduce are complications as an outsider. There could be even more roadblocks that are only visible to insiders.

  • Sam J. commented  ·   ·  Flag as inappropriate

    I'm just baffled at how many hoops I need to jump through to obtain something that I strongly feel should be out-of-the-box functionality. I've been working on this for a few days now and it is simply not what I expected from an industry leader. Please streamline this process.

  • Mark Duff commented  ·   ·  Flag as inappropriate

    None of the workarounds I've wasted time on work in .NET Core 5.0, so can this be a priority again now? Or where is the link to a working example w/ complete source code?

    This couldn't be a more fundamental need.

  • bob commented  ·   ·  Flag as inappropriate

    2021 !!!
    6 years and going for a must have option so that b2c can be used in a real-world application without redeveloping APIs and securing them, is MS intentionally do not want to implement this???

  • Howard Richards commented  ·   ·  Flag as inappropriate

    So this **basic feature** of any security system is STILL missing from B2C after five years? Glad I only wasted a few days testing out Azure B2C. Without groups/roles this is an absolute joke. Why would anyone use it?

  • Anonymous commented  ·   ·  Flag as inappropriate

    It is the same as what Azure AD does but in B2C.

    Currently in B2C you can add user attributes, which get added as claims to the user in AAD B2C.
    We would also like group membership claims to be populated.

  • Anonymous commented  ·   ·  Flag as inappropriate

    As others stated I also feel like the workaround here is awful and don't quite understand how this has not been fixed yet. I cannot see how this would be so expensive to implement, the data is there.

  • channa commented  ·   ·  Flag as inappropriate

    Why is there no update on this feature, the work around is ugly to say the least.

  • YALAVARTHI Hrushikesh commented  ·   ·  Flag as inappropriate

    If you include this feature, definitely it would have been a valuable feature. Am requesting Microsoft,please implement to ability to configure B2C to add group id's as claims in B2C JWT

  • Anonymous commented  ·   ·  Flag as inappropriate

    No point having B2C at all unless you're going to add features that enables a deployment in the real world! I spent the last 5 days of my precious time researching for a ready to go solution, only to find that B2C and Microsoft has once again let us all down.

    So ANGRY!!!!!!

← Previous 1 3 4 5

Azure Active Directory: B2C

Categories

Feedback and Knowledge Base

(thinking…)
Hosted by UserVoice