Groups from Azure AD

Configuring the server
, ,
3

Yes, I got it today. This is the solution (I assume that the application is registered in Active directory):

  1. Add Microsoft Active Directory as an identity provider: Identity Providers -> Add provider… -> OpenID Connect v1.0 (don’t choose Microsoft, like I did. It won’t work!)
  2. Configure it. My configuration is:
    Display Name: AAD (choose whatever you want)
    Enabled: On
    Trust Email: On (my setting. Not important for this problem)
    Authorization URL: …
    Token URL: …
    User Info URL: …
    Client ID: id from your application registered in active directory
    Client Secret: the secret in active directory for your application
    Issuer: https://login.microsoftonline.com/{tentant}/v2.0 (not necessary)
    The rest has its default setting.
    The urls can be found here: https://login.microsoftonline.com/common/v2.0/.well-known/openid-configuration
    (As a new user, I can only put two links in a post)
    Note that they depend on whether your application is single or mutlitenant.
  3. Save and add the redirect url in active directory (Your application -> Authentication -> Redirect URIs).
  4. Go to this identity provider and go to Mappers. Create a new one.
  5. The setting of the mapper:
    Name: Whatever you want
    Sync Mode Override: What ever you want. I have “force” but “inherit” is fine, too. Just read the info for it.
    Mapper Type: Claim to Role
    Claim: groups (that’s the name of the groups claim in the JWT coming from active directory)
    Claim Value: The group that you want to be mapped. Unfortunately, AAD puts the ids of the groups inside of the token, so you will probably get something like: “7fd1e321-4234-45de-fa21-fffdf215d21f”.
    Role: The role that the user should get, if he has the claim value that you’ve specified.
    This means that every group that you want to map, needs a mapper and the role that it should be mapped to.

Note that for this to work, you need some settings inside of AAD. Otherwise AAD won’t put the groups claim inside the token. The setting for this is:
Go to your application in AAD -> Manifest -> set “groupMembershipClaims” to “SecurityGroup” or “All”. I have “All”.

Not sure if that’s the default, but in “Token configuration” -> Add groups claim

5 Likes