When publishing application using Active Directory Federation Services (AD FS) or other identity provider, you often use group membership as claim is a user’s token.
Until now, this was not possible to use group membership as claim in Azure AD Application; now you can
To start using group membership claim for your Azure AD Application, you must first ensure you are using at least Azure AD Connect version 1.2.70 (published in Dec 2018) – by the way a new version has just been released (version 1.3.20.0) as announced here https://t.co/DJMFcamte7) – as this includes rule to synchronize the required group attributes.
Then you can go to your Azure AD or Azure portal to edit the the User Attributes & Claims for the SAML Single Sign On (SSO) for your Enterprise Application
Edit using the new experience
- Access the Single Sign On blade and edit the User Attributes & Claims
- Edit the Groups returned in claim option – which should be set to None
- Then choose the group type and source group attribute to use
Supported format is:
- Azure Active Directory GroupObjectId (Available for all groups)
- SAMAccountName (Available for groups synchronized from Active Directory)
- NetbiosDomain\samAccountName (Available for groups synchronized from Active Directory)
- DNSDomainName\samAccountName (Available for groups synchronized from Active Directory)
- If required by your application you can customize your group claim by editing the Advanced Options (like making the group membership information available in the ‘role’ claims)
There is less reason to be stuck with AD FS or any other identity provider