Azure Active Directory Groups Claim for Application
Question
We're using Active Directory Groups for different customers and their employees. It's straightforward configuring a group accessToken claim for authenticated users. Now, when an app does not act in behalf of a user but in behalf of itself (client_credentials flow), and the app is member in an AD Group, is it possible to configure an accessToken claim for the application's membership? If so, how?
I have tried to configure it in Azure/Active Directory/Token configuration but it gives only the group of users that are authenticated and not that of the app itself.
Thank you.
1 answers
solution1
0 ACCPTED 2021-01-25 08:29:45
I think there is a problem with your description. You said in the question: and the app is member in an AD Group . As far as I know, the members of a group can only be users, organization contacts, service leaders or other groups, and there is no application.
I think what you want to say is that you assigned users or groups to the application (please correct me if my understanding is wrong), like this:
As far as I know, there is no group claim for application tokens(The user token has a group claim, as you said in the question),because application is not a member of group. If you want to get the group assigned to the application, MS graph api is a good choice:
https://graph.microsoft.com/beta/servicePrincipals/{id}/appRoleAssignedTo
You need to replace {id} with Object ID :
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.