Get user membership groups in the claims with AD B2C
As it's possible in the standard AD by changing the API application manifest option "groupMembershipClaims" to "SecurityGroup", is it possible to return user membership group in the claims with AD B2C?
Now, we can have only the default and custom attributes by adding a signin policy, but it's impossible to get user membership groups.
We definitely recognize the popularity of this feature, and we discuss it constantly during the planning phases. However there are certain technical limitations in the system that add a large amount of development cost. Because of the cost and the fact that there is a workaround available, other features get prioritized over this one.
That being said, please keep voting for it. The popularity of the feature does help bring it up and makes us reconsider every time.
Apologies for the delay.
We’re doing some research both on the specifics of this ask as well as what it would take to support this.
Is the ask here to do the same thing that regular Azure AD does (see: https://blogs.technet.microsoft.com/enterprisemobility/2014/12/18/azure-active-directory-now-with-group-claims-and-application-roles/) or is are there different requirements around this for Azure AD B2C?
I can't believe that this isn't in by default. It makes me not trust what I think I know about this stuff.
Michael Rohwer commented
This is a highly desirable feature for my group.
Don Airey commented
How is using the Graph API a solution? You need to burn administrator privs and a secret into the application in order to query the API. This is a HUGE security leak and simply an unworkable solution. Your answer at the moment appears to be "Claims Based Authentication just doesn't work for B2C" which is unworkable for us.
@MikeDePouw Thanks, it's here :) https://stackoverflow.com/questions/49730197/azure-ad-b2c-single-page-app-roles
Mike DePouw commented
@Mark - that's a great question. I would recommend a stack overflow question with the 'azure-ad-b2c' tag.
How does the workaround work with SPA using MSAL.js? How can we use MSAL.js with groups / roles?
Antony Tomashuk commented
Yevgeniy Yankovoy (aka Architect from God) asked me to vote as he has a permanent ButtHurt because of the issue.
Anders Thorsen commented
"Because of the cost and the fact that there is a workaround available, other features get prioritized over this one."
May I ask what the recommended workaround is? The original poster mentions creating separate attributes for this, but is this the recommended workaround?
Wow. This is the top feature request for B2C - *for years* - and the team is saying that it is not on a roadmap.
If this most basic feature has a 'large development cost', then someone has seriously messed up in designing this system.
Please implement asap.
As the previous poster mentioned, the very little bit of documentation that exists for an actual implementation of a workaround is quite poor and out of date.
This is such a fundamental feature ... no matter the cost it should be addressed! Do the right thing: take the feedback and build the feature.
Moreover: The "workaround" is very poorly documented, if at all, and I've had 2 tickets open with MS Support for -a year- to make it work as it should in a standard web app - which is still unresolved. Many times they've tried to find documentation to make it work and failed.
any updates please
Any update on this?
Myself and my teams have been *trying* to work with AAD B2C for *years* and this glacial progress has sadly been typical. This is very basic functionality that almost anyone using B2C will run in to almost *immediately* once they try to start using it.
Please: Be heroes. Disprove the terrible reputation the team behind B2C has earned. Implement this fundamental feature ASAP.
Group information is very much needed. I'm surprised it isn't already found here. Don't be bad! Thanks!
I'm looking for the groups claim as well. Is there any headway?
Hrvoje Kusulja commented
We are using B2C and are using Groups for permissions. In regular AAD is fine, but in B2C we need to have groups inside claims. This is more than 2 and half year old topic. Still now progress :(
Luiz Alberto commented
How much more time do we need to wait for this basic feature to become released?
Nolan Miracle commented
To elaborate on my previous comment - the RestAPI call is made via the custom policy and can be used to build the claims onto the token. The call is not made via the application. I do agree that this is more work than what should need to be done, but it is possible to accomplish. Hope this helps!
Mike DePouw commented
"Is the ask here to do the same thing that regular Azure AD does?" same* ask for us
*Group names not guids please.
This has been out there for a year and is about to cause me to use some other solution. Do you know when this will be available?