Azure AD IdP how to check group memberships and/or GUIDs


I successfully added Azure AD as IdP for Keycloak and can successfully login and complete the authentication flow and user can access web app after SSO authentication.

I am trying to implement a “claim to role” mapper for the IdP and need to check if user’s AD Groups contain a particular Group GUID.

My questions are:

  • where is this Group GUID found in the Azure AD portal?

  • Is there a PowerShell or CMD command that can be run to displayed AD group memberships with/without the GUIDs?

  • Since authentication flow is successful, is there a way to peek/review the Groups claim in the Keycloak token and if so, how? Or can this claim detail be shown in Keycloak log?


In Azure AD / App Registrations you can find the groups GUID as the “object id” of the group:

To get the groups to the tokens, you have to add a group mapper in Azure:

In Keycloak, create a “claim to role” mapper with these settings:


Thanks Niko. I already had a “claim to role” mapper created but wasn’t sure where to ask my Azure DevOps to look for the group’s GUID. Thanks for the “object id” screenshot.

Besides looking at the Azure portal, is there no other way to use powershell command to look at which groups I belong to, and what their GUIDs are? I find this portal method very “unscriptable”. :blush:

I also vaguely recall, that if one can inspect the detail claims payload coming from Azure SSO to Keycloak, but I lost my notes on how to do inspect the token/claims in keycloak.



I don‘t know about powershell nor azure api, as i don‘t use it regularly. Of course there is a way via an api available, that‘s how cloud works. But this is a Keycloak forum, so you better ask somewhere where azure folks are around.

Once again thanks Niko.

As mentioned, one of the question was, how does one can look into the token/claims detail in Keycloak? I am sure Keycloak has received a collection of groups GUIDs and based on the define “claim to role” mapper, comparing each one of them.

In Keycloak, does anyone know how to inspect the claim payload after user completed authentication from SSO?.


Hi @dasniko I have followed the steps mentioned here but at the end of SSO login, the final token I get, when parsed, contains below:

“realm_access”: {
“roles”: [
“resource_access”: {
“account”: {
“roles”: [
“scope”: “openid groups”,

Basically my email id is linked to ad group which is present in keycloak group to role claim mapping - which points to planners (and not admins role).
But instead of getting only planners role in return, I am getting all the realm roles.

After the SSO login completion token is returned, do I need to hit another URL to get user specific role?


As I don’t know, what you configured how, I can’t give an answer here.