Azure AD – You can now use group claims in SAML and OIDC/Oauth token

When publishing application using Active Directory Federation Services (AD FS) or other identity provider, you often use group membership as claim is a user’s token.

Until now, this was not possible to use group membership as claim in Azure AD Application; now you can Smile

To start using group membership claim for your Azure AD Application, you must first ensure you are using at least Azure AD Connect version 1.2.70 (published in Dec 2018) – by the way a new version has just been released (version as announced here – as this includes rule to synchronize the required group attributes.

Then you can go to your Azure AD or Azure portal to edit the the User Attributes & Claims for the SAML Single Sign On (SSO) for your Enterprise Application

Edit using the new experience

  • Access the Single Sign On blade and edit the User Attributes & Claims


  • Edit the Groups returned in claim option – which should be set to None


  • Then choose the group type and source group attribute to use

Supported format is:

  • Azure Active Directory GroupObjectId (Available for all groups)
  • SAMAccountName (Available for groups synchronized from Active Directory)
  • NetbiosDomain\samAccountName (Available for groups synchronized from Active Directory)
  • DNSDomainName\samAccountName (Available for groups synchronized from Active Directory)


  • If required by your application you can customize your group claim by editing the Advanced Options (like making the group membership information available in the ‘role’ claims)

There is less reason to be stuck with AD FS or any other identity provider Smile

Leave a Comment

Your email address will not be published. Required fields are marked *

The reCAPTCHA verification period has expired. Please reload the page.