Groups from Azure AD

Hello,
I am currently trying to get the groups from Azure Active Directory to Keycloak. Azure is registered in keycloak as an identity provider with the “Microsoft” setting.
I tried to follow the advices from https://keycloak.discourse.group/t/getting-groups-from-azure-active-directory-idp/590 and created a mapper for the provider with these settings:
Sync Mode Override: force
Mapper Type: Attribute Importer
Social Profile JSON Field Path: groups
User Attribute Name: role

Is there something I am missing?

Hi, were you able to figure it out?

Yes, I got it today. This is the solution (I assume that the application is registered in Active directory):

  1. Add Microsoft Active Directory as an identity provider: Identity Providers -> Add provider… -> OpenID Connect v1.0 (don’t choose Microsoft, like I did. It won’t work!)
  2. Configure it. My configuration is:
    Display Name: AAD (choose whatever you want)
    Enabled: On
    Trust Email: On (my setting. Not important for this problem)
    Authorization URL: …
    Token URL: …
    User Info URL: …
    Client ID: id from your application registered in active directory
    Client Secret: the secret in active directory for your application
    Issuer: https://login.microsoftonline.com/{tentant}/v2.0 (not necessary)
    The rest has its default setting.
    The urls can be found here: https://login.microsoftonline.com/common/v2.0/.well-known/openid-configuration
    (As a new user, I can only put two links in a post)
    Note that they depend on whether your application is single or mutlitenant.
  3. Save and add the redirect url in active directory (Your application -> Authentication -> Redirect URIs).
  4. Go to this identity provider and go to Mappers. Create a new one.
  5. The setting of the mapper:
    Name: Whatever you want
    Sync Mode Override: What ever you want. I have “force” but “inherit” is fine, too. Just read the info for it.
    Mapper Type: Claim to Role
    Claim: groups (that’s the name of the groups claim in the JWT coming from active directory)
    Claim Value: The group that you want to be mapped. Unfortunately, AAD puts the ids of the groups inside of the token, so you will probably get something like: “7fd1e321-4234-45de-fa21-fffdf215d21f”.
    Role: The role that the user should get, if he has the claim value that you’ve specified.
    This means that every group that you want to map, needs a mapper and the role that it should be mapped to.

Note that for this to work, you need some settings inside of AAD. Otherwise AAD won’t put the groups claim inside the token. The setting for this is:
Go to your application in AAD -> Manifest -> set “groupMembershipClaims” to “SecurityGroup” or “All”. I have “All”.

Not sure if that’s the default, but in “Token configuration” -> Add groups claim

1 Like

Thank you for the well detailed answer. I did get this working, and I used a mapper to map group ID with group names in keycloak