Get user membership groups in the claims with AD B2C
As it's possible in the standard AD by changing the API application manifest option "groupMembershipClaims" to "SecurityGroup", is it possible to return user membership group in the claims with AD B2C?
Now, we can have only the default and custom attributes by adding a signin policy, but it's impossible to get user membership groups.
We definitely recognize the popularity of this feature, and we discuss it constantly during the planning phases. However there are certain technical limitations in the system that add a large amount of development cost. Because of the cost and the fact that there is a workaround available, other features get prioritized over this one.
That being said, please keep voting for it. The popularity of the feature does help bring it up and makes us reconsider every time.
Apologies for the delay.
We’re doing some research both on the specifics of this ask as well as what it would take to support this.
Is the ask here to do the same thing that regular Azure AD does (see: https://blogs.technet.microsoft.com/enterprisemobility/2014/12/18/azure-active-directory-now-with-group-claims-and-application-roles/) or is are there different requirements around this for Azure AD B2C?
Thank you, now it’s really very convenient.
Zach Tanksley commented
The workaround at the link below is nice and easy to implement, but it has cost me days of development time that would not have been necessary if this was a feature.
No point having B2C at all unless you're going to add features that enables a deployment in the real world! I spent the last 5 days of my precious time researching for a ready to go solution, only to find that B2C and Microsoft has once again let us all down.
Alfie Wallace commented
Dear Azure AD Team,
Can you give an update on the status of this? It's been over 2 years since the last one.
The current workaround require maintaining an API to make Graph queries, which in turn requires A) securing the API and testing that it isn't vulnerable to attack, B) maintaining the policy which communicates with the API, and C) managing the secrets used to connect to the application inside our tenant for these queries.
The reason we want to use B2C is to avoid such tasks. It would be great to know whether we can expect this soon, and if not why it isn't being treated as a priority since there is clearly a demand.
Joseph Bailey commented
Please reconsider adding this functionality. It's been 4 1/2 years since this request was opened and there is CLEARLY still a demand for this. How many votes do you need to make this a reality? And what workaround? I've been ******* my head against the wall for weeks trying to hack a workaround using Graph, but it's still an unnecessary thing to have to do when regular old AD supports this out of the box.
Mark Duff commented
How is this even a disconnect? Every MS Evangelist recommends, nay, insists, nay admonishes us if we don’t base authorization on AD Groups rather than Users. But B2C AD User’s Groups are hidden from simple Claims? MS says, “oh, it’s too much work”. Not for your competitors. You want their slice of the pie? After years of waiting for this, it seems not. Our inability to recapture in Claims transitions from B2C casual visitors (Group) to prospects (Group) to customers (Group) to heightened elevations w/o our own mechanisms renders B2C AD Grouping moot and negates all the other relevant MS preaching. Really MS? We who work quietly ARE your true evangelists. But this is a sad sacrifice of a tree that makes the forest.
I find it a total waste if i can assign groups to my users but cannot return those groups as claims, this would've allowed me to build a more generic, robust system. The only best way i though of in my scenario is assigning the groups as Products in API Management and then publishing it as API's depending on what group you belong. If anyone has any other ideas.
But like really i can only include what the Application wants and not what i want from Microsoft.Graph
Gloria Gallego commented
You can add an API call on the IEF Custom Policy to be able to pass the Groups and Roles as a Claims.
John Del Forno commented
Sorry @parakh, this isn't a work around.
I don't want admins of the B2C directory to need to have access to the parent directory to administer groups.
Nor can I allow them to have Graph API Access to the parent directory, as the current permissions grant access to all groups, not predefined or prefixed groups.
Matt Whited commented
WTF Microsoft. We want to use your tech stack but this is making it very difficult to stick around. If we have to be in pain anyway we might as well go somewhere else where it hurts less.
Still Under Review for 2 years????????
Ahmed Khalifa commented
@Nolan, would you buy a car that does not have a steering wheel but has a 'workaround'? what confidence would you have in the quality of the rest of said car?
I am sorry if that was blunt, but this is the state of the world, people bad-mouth Cognito but when it comes to usability, it is 100 times easier and faster to adapt, above all, the builders realize who their users are!
I can't believe this is even a conversation? never mind that it is running for 2 years!
I have been a Dev advocate for a long time, and this is the first time I am building a sample for a startup with Azure, I really wanted this to work, but this absolutely breaks my confidence in the rest of the experience!
Pascal van der Horst commented
Lucas Vogel commented
Hi all - just wanted to throw out there that I created a console application for adding test users to Azure AD B2C instances. You can find the code at https://github.com/elvogel/b2c. You create a b2c.json (through the command line or manually) with AppId, Tenant and Secret settings, and use the command line to create test users.
I thought I'd throw it out there from here in case anyone finds it helpful.
Mats Alm commented
We are evaluating a CIAM solution for my customer, the process involves implementing a few basic features on the free tier of each option. Configuring and consuming group claims via OICD is one of them. In this case it should work with both asp.net core and nodejs apps.
Considering how easy this is solved with the other alternatives, the lack of this feature is most likely something that will make us pick another solution.
Kyle Pope commented
Thanks Lucas Vogel and ricky zou for the example solutions. While I like both solutions, I think the ideal solution is something like ricky's since it returns the groups as part of the token and doesn't put the responsibility to go look them up in each app that uses B2C. That said, it has increased complexity since you'll need to (1) use a custom policy and (2) manage/configure the extra Azure function that must be deployed... I still think it would be a big win if Microsoft would provide an officially documented workaround that does this and makes it easy for people to implement this feature on their own...
Lucas Vogel commented
I created a sample project that uses an IAuthorizationService implementation to check users against groups in the AD back end using the Graph API. Check it out: https://github.com/endpointsystems/Azure.B2C.Demos.GroupAuthorization
Brief writeup about it here: https://endpointsystems.com/blog/azure-ad-b2c-group-authorization
ricky zou commented
A MS consultant provided link to this workaround (http://mrochon.azurewebsites.net/2019/05/06/using-groups-in-azure-ad-b2c/) , and it's UGLY! B2C for us provides abstraction layer for handling other Idps in order to reduce complexity, this limitation and the complexity in the workaround is making me rethink if B2C is even a good fit for us. not only is the workaround difficult to setup and maintain, it requires an additional AZ Function service.
Can you guys please suggest work around?
One workaround that I can think of is, include an extension attribute and assign group name to this attribute, which can be further included in claim.
Any better solution?
If this is not going to get implemented at least document this and publish the workaround for this. This is a basic requirement and aad b2c is a paid service.