Get user membership groups in the claims with AD B2C
As it's possible in the standard AD by changing the API application manifest option "groupMembershipClaims" to "SecurityGroup", is it possible to return user membership group in the claims with AD B2C?
Now, we can have only the default and custom attributes by adding a signin policy, but it's impossible to get user membership groups.
We definitely recognize the popularity of this feature, and we discuss it constantly during the planning phases. However there are certain technical limitations in the system that add a large amount of development cost. Because of the cost and the fact that there is a workaround available, other features get prioritized over this one.
That being said, please keep voting for it. The popularity of the feature does help bring it up and makes us reconsider every time.
Apologies for the delay.
We’re doing some research both on the specifics of this ask as well as what it would take to support this.
Is the ask here to do the same thing that regular Azure AD does (see: https://blogs.technet.microsoft.com/enterprisemobility/2014/12/18/azure-active-directory-now-with-group-claims-and-application-roles/) or is are there different requirements around this for Azure AD B2C?
Kirstie Wu commented
This is absolutely insane. +1 Something so basic... yet... almost 2 years has passed...nothing is done.
Spencer C commented
This is absolutely insane.
Daniel Hallqvist commented
Pretty unbelievable that such a basic, essential part of an authentication system isn't already implemented.
Rob Richardson commented
We desire the same functionality available in regular Azure AD with the ability to assign more than one application role to a user.
To any folks struggling to obtain B2C user group claims from Graph API: while we wait for group claims to be integrated into B2C tokens, please refer to my detailed write-up in this post:
There's quite a bit of voodoo dancing required, but it works as an interim solution.
The given examples of the regular AD capabilities would totally cover our use cases.
Don Airey commented
For Role Based Authentication, you just need a group membership in order to map the group to a set of claims. So the answer to your question is: we just need what Azure AD does in the B2C endpoint.
Tim Uy commented
Even just one group - Admin!
Tim Uy commented
This needs to be fixed. It is now 2017 and I am trying to replace an existing auth structure with AD B2C. Group claims are important.
Don Airey commented
I had a colonoscopy last year without anesthesia. Digging through the B2C architecture to get my claims-based authentication working was a worse experience for me. First, there's no way to create a local user using an email address for the identity (that is, an email address not tied to any identity provider) in the portal . You need to create a separate application with CRUD privileges. Then you need to add the new user with a command line utility found in GIT. Then you need to go back to the portal to add them to a group, then you need to bake the credentials of this secondary application into your service in order to read the group affiliations of the users.
It's not all pain, however. Once I got everything working, it's very slick to have a complete web service working out of a single Cloud Service with Authentication and SQL handled in the cloud.
Cleiton Dos Santos Garcia commented
In Azure AD is possible query the graph api using the user token, but with AD B2C I am receiving http 401 in both (graph.microsoft.com or graph.windows.net).
Jason Levandoski commented
So how far off is this release? This is a huge hindrance.
Is there a Beta to test?
We are trying to move from stormpath to azure and find that azure is lacking this capability. Spending days making a service user that can query the graph API for this is tedious.!
Greg Fyans commented
Is there an update to Alexander's suggestion? It would seem to me this is a popular use case for applications using B2C, as B2C is essentially a replacement for more common membership providers that have such functionality.
Neeraj Yadav commented
Hi, How can I assign group to a user during signup in ad b2c?
Hi Alexandre - This is a good suggestion. Thank You. We will add this to our backlog. For now, you could query using Graph - not the desired method but it would work.
Devindra (Program Manager Azure AD B2C - Microsoft)
Alexander Viken commented
This would be very useful for instance when you create a B2C directory and could split users into ie. "subscribers" or "non-subscribers" groups. and create [Authorize(Roles = "subscribers")] attributes for your viewControllers without a lot of custom code.