Include only pre-selected groups, into the claim
At the moment there will be all groups user member of, and if that number exceeds 150(200), there would be a link send instead. It is better to only include groups, which makes sense for the application.
In modern environment, half of the users in big companies are members of more than 200 groups, But for each individual application only few may be somewhat indicative. So why not have a possibility to select only groups which making sense for the each app, and only those would be included into response?
We have enable the ability to send in the token only the groups assigned to the applications.
Please try it out and give us feedback: https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-fed-group-claims#add-group-claims-to-tokens-for-saml-applications-using-sso-configuration
Kendrick Chew commented
My organisation also facing the same issue. Although with helps from one of the Microsoft's Cloud Solution Architect, we are able to workaround the issue by defining custom App Roles in the manifest; this has added certain degree of complexity in the ongoing operation maintenance. Please kindly make this feature available the soonest as a lot of organisation has requested.
Dustin Dishner commented
This needs an update on the ETA. You can't tell us that the feature has been requested for over 2 years and planned for 7 months and there is not an estimate of when it will be added to the product. This is a critical need for enterprise customers. We have had to migrate federations back into ADFS due to this issue. Please allow us to use this platform by making the necessary changes.
Sean Stark commented
Azure AD is the only IDP that I know of which limits the number of groups returned in a claim. The 150 group limit is very small as indicated in the request. 80% of users are well over this number of groups. I would like to see this as higher priority, either adding the option to only send specific groups in the claim or removing the 150 group limit. This is selling point to me and as a customer I would be looking at other IDPs because of this limitation.
Dustin Dishner commented
Please provide an update on the ETA. This is a critical issue for us as I'm sure it is for others.
Rene Jacob commented
Is there any update on the ETA yet, please? Many thanks
Stefan Hänßgen commented
Would really make sense... with normal ADFS it's easy to filter out groups, why not here?
Handing over all of them is a potential security/privacy issue (the SAML connected 3rd party app will see lots of groups that it should not even be aware of), and the "use our API to query for groups if we do not manage to transmit all of them" approach is neither elegant nor SAML 2.0 standard...
It looks like something similar was recently implemented for other attribute claims (https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-saml-claims-customization) but it looks like group claims are omitted. To add to this, the existing group claim process doesn't allow Azure AD-owned groups (Not on-prem groups) to claimed in any way other than group ID. While this is functional, it would be good to be able to send group names instead of group IDs, no matter where the group lives (on prem or in cloud).