Bit of context first : I have an Active Directory as my Identity Provider working fine, but i was looking for a way to retrieve Active Directory group/role directly into Keycloak access_token
After some carefull research i find out the following to topic :
however i don’t have the possibility to select “Claim to role”, since i am using the “microsoft” Identity Provider inside keycloak
In the following topic (Groups from Azure AD) it seems to be possible when not using the “microsoft” template, but using OpenId Connect V1.0. Does the “Microsoft” template use it to ? Or is it less secured?
To get groups from Microsoft, you need to use the OpenId Connect.
You can use the OpenId Autodiscovery mechanism. The url for microsoft is at https://login.microsoftonline.com/<TENANT_ID>/.well-known/openid-configuration where TENANT_ID is your Azure AD Tenant ID (info avaiable at the azure AD)
The built-in “social” provider “Microsoft” is for usage with private Microsoft accounts only, as it has hardcoded urls and paths in it. If you want to have anything customized, you have to configure a generic OIDC provider (or also SAML, as AAD also supports SAML).