Get user membership groups in the claims with AD B2C
As it's possible in the standard AD by changing the API application manifest option "groupMembershipClaims" to "SecurityGroup", is it possible to return user membership group in the claims with AD B2C?
Now, we can have only the default and custom attributes by adding a signin policy, but it's impossible to get user membership groups.
We definitely recognize the popularity of this feature, and we discuss it constantly during the planning phases. However there are certain technical limitations in the system that add a large amount of development cost. Because of the cost and the fact that there is a workaround available, other features get prioritized over this one.
That being said, please keep voting for it. The popularity of the feature does help bring it up and makes us reconsider every time.
Apologies for the delay.
We’re doing some research both on the specifics of this ask as well as what it would take to support this.
Is the ask here to do the same thing that regular Azure AD does (see: https://blogs.technet.microsoft.com/enterprisemobility/2014/12/18/azure-active-directory-now-with-group-claims-and-application-roles/) or is are there different requirements around this for Azure AD B2C?
I'm looking for the groups claim as well. Is there any headway?
Hrvoje Kusulja commented
We are using B2C and are using Groups for permissions. In regular AAD is fine, but in B2C we need to have groups inside claims. This is more than 2 and half year old topic. Still now progress :(
Luiz Alberto commented
How much more time do we need to wait for this basic feature to become released?
Nolan Miracle commented
To elaborate on my previous comment - the RestAPI call is made via the custom policy and can be used to build the claims onto the token. The call is not made via the application. I do agree that this is more work than what should need to be done, but it is possible to accomplish. Hope this helps!
Mike DePouw commented
"Is the ask here to do the same thing that regular Azure AD does?" same* ask for us
*Group names not guids please.
This has been out there for a year and is about to cause me to use some other solution. Do you know when this will be available?
I don't understand this, I think it is an important feature and we also need this.
It is cumbersome to use the GraphAPI for this little demand...
This is absolutely insane and not to be expected.
Yaser Mehraban commented
Calling an API for getting the groups user is member of is not ideal. +1 for returning them as claims
Nolan Miracle commented
This is possible with custom policies making a REST API call.
weißnet auchnicht commented
Am I right that application roles do not exist in AAD B2C, either?
Kirstie Wu commented
This is absolutely insane. +1 Something so basic... yet... almost 2 years has passed...nothing is done.
Spencer C commented
This is absolutely insane.
Daniel Hallqvist commented
Pretty unbelievable that such a basic, essential part of an authentication system isn't already implemented.
Rob Richardson commented
We desire the same functionality available in regular Azure AD with the ability to assign more than one application role to a user.
To any folks struggling to obtain B2C user group claims from Graph API: while we wait for group claims to be integrated into B2C tokens, please refer to my detailed write-up in this post:
There's quite a bit of voodoo dancing required, but it works as an interim solution.
The given examples of the regular AD capabilities would totally cover our use cases.
Don Airey commented
For Role Based Authentication, you just need a group membership in order to map the group to a set of claims. So the answer to your question is: we just need what Azure AD does in the B2C endpoint.
Tim Uy commented
Even just one group - Admin!
Tim Uy commented
This needs to be fixed. It is now 2017 and I am trying to replace an existing auth structure with AD B2C. Group claims are important.