How can we improve Azure Active Directory?

Get user membership groups in the claims with AD B2C

As it's possible in the standard AD by changing the API application manifest option "groupMembershipClaims" to "SecurityGroup", is it possible to return user membership group in the claims with AD B2C?

Now, we can have only the default and custom attributes by adding a signin policy, but it's impossible to get user membership groups.

1,020 votes
Sign in
Sign in with: Microsoft
Signed in as (Sign out)

We’ll send you updates on this idea

Alexandre Blecich shared this idea  ·   ·  Flag idea as inappropriate…  ·  Admin →

We definitely recognize the popularity of this feature, and we discuss it constantly during the planning phases. However there are certain technical limitations in the system that add a large amount of development cost. Because of the cost and the fact that there is a workaround available, other features get prioritized over this one.

That being said, please keep voting for it. The popularity of the feature does help bring it up and makes us reconsider every time.

Apologies for the delay.


Old message:
We’re doing some research both on the specifics of this ask as well as what it would take to support this.
Is the ask here to do the same thing that regular Azure AD does (see: or is are there different requirements around this for Azure AD B2C?


Sign in
Sign in with: Microsoft
Signed in as (Sign out)
  • Nolan Miracle commented  ·   ·  Flag as inappropriate

    To elaborate on my previous comment - the RestAPI call is made via the custom policy and can be used to build the claims onto the token. The call is not made via the application. I do agree that this is more work than what should need to be done, but it is possible to accomplish. Hope this helps!

  • Mike DePouw commented  ·   ·  Flag as inappropriate

    "Is the ask here to do the same thing that regular Azure AD does?" same* ask for us

    *Group names not guids please.

  • Anonymous commented  ·   ·  Flag as inappropriate

    This has been out there for a year and is about to cause me to use some other solution. Do you know when this will be available?

  • WM commented  ·   ·  Flag as inappropriate

    I don't understand this, I think it is an important feature and we also need this.
    It is cumbersome to use the GraphAPI for this little demand...

  • Kirstie Wu commented  ·   ·  Flag as inappropriate

    This is absolutely insane. +1 Something so basic... yet... almost 2 years has passed...nothing is done.

  • Don Airey commented  ·   ·  Flag as inappropriate

    For Role Based Authentication, you just need a group membership in order to map the group to a set of claims. So the answer to your question is: we just need what Azure AD does in the B2C endpoint.

  • Tim Uy commented  ·   ·  Flag as inappropriate

    This needs to be fixed. It is now 2017 and I am trying to replace an existing auth structure with AD B2C. Group claims are important.

  • Don Airey commented  ·   ·  Flag as inappropriate

    I had a colonoscopy last year without anesthesia. Digging through the B2C architecture to get my claims-based authentication working was a worse experience for me. First, there's no way to create a local user using an email address for the identity (that is, an email address not tied to any identity provider) in the portal . You need to create a separate application with CRUD privileges. Then you need to add the new user with a command line utility found in GIT. Then you need to go back to the portal to add them to a group, then you need to bake the credentials of this secondary application into your service in order to read the group affiliations of the users.

    It's not all pain, however. Once I got everything working, it's very slick to have a complete web service working out of a single Cloud Service with Authentication and SQL handled in the cloud.

Feedback and Knowledge Base