Include only pre-selected groups, into the claim
At the moment there will be all groups user member of, and if that number exceeds 150(200), there would be a link send instead. It is better to only include groups, which makes sense for the application.
In modern environment, half of the users in big companies are members of more than 200 groups, But for each individual application only few may be somewhat indicative. So why not have a possibility to select only groups which making sense for the each app, and only those would be included into response?
This feature is planned. We don’t have an ETA yet to share.
Please continue voting to help us prioritize.
Sean Stark commented
Azure AD is the only IDP that I know of which limits the number of groups returned in a claim. The 150 group limit is very small as indicated in the request. 80% of users are well over this number of groups. I would like to see this as higher priority, either adding the option to only send specific groups in the claim or removing the 150 group limit. This is selling point to me and as a customer I would be looking at other IDPs because of this limitation.
Dustin Dishner commented
Please provide an update on the ETA. This is a critical issue for us as I'm sure it is for others.
Rene Jacob commented
Is there any update on the ETA yet, please? Many thanks
Stefan Hänßgen commented
Would really make sense... with normal ADFS it's easy to filter out groups, why not here?
Handing over all of them is a potential security/privacy issue (the SAML connected 3rd party app will see lots of groups that it should not even be aware of), and the "use our API to query for groups if we do not manage to transmit all of them" approach is neither elegant nor SAML 2.0 standard...
It looks like something similar was recently implemented for other attribute claims (https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-saml-claims-customization) but it looks like group claims are omitted. To add to this, the existing group claim process doesn't allow Azure AD-owned groups (Not on-prem groups) to claimed in any way other than group ID. While this is functional, it would be good to be able to send group names instead of group IDs, no matter where the group lives (on prem or in cloud).