Azure AD Group Name

[StarkCaptain]

It would seem more practical to support the ability to send the Display Name of an Azure AD Group than the objectID. Is there support to send the DisplayName instead?

---

Document Details

⚠ Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.

• ID: c5a6779a-58f1-73fa-2b24-5f85deeea52b
• Version Independent ID: 481c093b-6db3-c4e5-6644-b1a3a4497a30
• Content: Configure group claims for applications with Azure Active Directory
• Content Source: articles/active-directory/hybrid/how-to-connect-fed-group-claims.md
• Service: active-directory
• Sub-service: hybrid
• GitHub Login: @billmath
• Microsoft Alias: billmath

[SaurabhSharma-MSFT]

@StarkCaptain Thanks for your feedback! We will investigate and update as appropriate.

[frankhu-2021]

Hello @starkcaptain i'm not sure what your request is. The doc describes the scenario of utilizing the display name of an azure ad group instead of the group id.

Please see : https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-fed-group-claims#configure-group-claims-for-saml-applications-using-sso-configuration

[StarkCaptain]

Based on the documentation this is only supported for on premise Active Directory groups. Most of the time you are using group claims the display name of the group is preferred for SAML claims. Applications generally use this as a mapping to roles or other security controls. Using the GID is not the most friendly experience.

[frankhu-2021]

Hey @starkcaptain apologies for the delay, unfortunately it's only possible to get the object ids as of right now. This may be implemented in the future, however in order to get the group names you will need to have some sort of service that makes calls to the Microsoft graph utilizing the ID.

If you're interested in this feature please upvote here, and if there's enough community support it will be looked into : https://feedback.azure.com/forums/169401-azure-active-directory/suggestions/38483242-option-to-show-group-name-in-groups-claims

I apologize for the inconvenience, are there anymore questions in regards to this issue? If not I will be closing out this git issue tomorrow.

[sanguedemonstro]

Hi all, just in case, here is what I used to recover groups display name..

Thanks

/// <summary>
/// Translate group.Id list received on id_token into group.DisplayName list
/// </summary>
/// <param name="groupIdList"></param>
/// <returns></returns>
public override List<string> TranslateGroupNames(List<string> groupIdList)
{
    // validations
    if (groupIdList == null || groupIdList.Count == 0)
        return groupIdList;

    if (string.IsNullOrEmpty(Configuration.ClientID))
        throw new InvalidOperationException("A configuração 'ClientID' não pode ser vazia.");

    if (string.IsNullOrEmpty(Configuration.ClientSecret))
        throw new InvalidOperationException("A configuração 'ClientSecret' não pode ser vazia.");

    if (string.IsNullOrEmpty(Configuration.TokenEndpoint))
        throw new InvalidOperationException("A configuração 'TokenEndpoint' não pode ser vazia.");

    if (string.IsNullOrEmpty(Configuration.TenantID))
        throw new InvalidOperationException("A configuração 'TenantID' não pode ser vazia.");

    // acquire a brand new access_token via client_credentials, especificly to ms graph api
    var clientCredentialsRequest = new ClientCredentialsTokenRequest();
    clientCredentialsRequest.Address = Configuration.TokenEndpoint;
    clientCredentialsRequest.ClientId = Configuration.ClientID;
    clientCredentialsRequest.Scope = "https://graph.microsoft.com/.default";
    clientCredentialsRequest.ClientSecret = Configuration.ClientSecret;

    var accessTokenResponse = _httpClient.RequestClientCredentialsTokenAsync(clientCredentialsRequest).Result;
    if (accessTokenResponse.IsError)
        throw new InvalidOperationException($"Falha ao recuperar AcessToken. {accessTokenResponse.Error}: {accessTokenResponse.ErrorDescription}");

    // set access_token on httpclient
    _httpClient.SetBearerToken(accessTokenResponse.AccessToken);

    var result = new List<string>(groupIdList.Count);

    // query ms graph api to recover group info
    foreach (var groupId in groupIdList)
    {
        var url = $"https://graph.microsoft.com/v1.0/{Configuration.TenantID}/groups/{groupId}";
        var groupResponse = _httpClient.GetAsync(url).Result;
        if (!groupResponse.IsSuccessStatusCode)
            throw new InvalidOperationException($"Falha ao recuperar grupo. {groupResponse.ReasonPhrase}");

        var jsonString = groupResponse.Content.ReadAsStringAsync().Result;
        var group = JsonConvert.DeserializeObject<dynamic>(jsonString);
        if (group?.displayName?.Value == null)
            throw new InvalidOperationException($"Grupo inválido");

        // get group display name
        result.Add(group.displayName.Value);
    }

    return result;
}

[shelly-goel]

We are having the same concern that we need the group name instead of group id. These groups will be synced with SSO external system and based on these groups users will get relevant permissions. With these meaningless names, this is not possible. The page to upvote is no longer available.

[alejandrovilchesbabbel]

Dear @shelly-goel same situation over here: we have an SSO app that is expecting to see "/group = my_app_groupname" in the SAML token but Azure (with no on-premise AD) only allows me to send the cryptic unfriendly Group object Id which is not comfortable to work with. Have you managed to find a solution that doesn't imply querying the Microsoft Graph API or having to "map" the group id with a human friendly name at the app side (i noticed that some developers are doing it like that)?

[gabrieledcjr]

We also need this feature

[shelly-goel]

@alejandrovilchesbabbel No we were not able to get the group name in response so we are making a separate Microsoft API call to get the groups the user is part of.

[frimlrob]

Is there any progress in this matter? When our IT guy told me it is not possible to send name of the group, I thought he is joking. Apparently he wasn't...

[OrRabinovich81]

Hey @StarkCaptain apologies for the delay, unfortunately it's only possible to get the object ids as of right now. This may be implemented in the future, however in order to get the group names you will need to have some sort of service that makes calls to the Microsoft graph utilizing the ID.

If you're interested in this feature please upvote here, and if there's enough community support it will be looked into : https://feedback.azure.com/forums/169401-azure-active-directory/suggestions/38483242-option-to-show-group-name-in-groups-claims

I apologize for the inconvenience, are there anymore questions in regards to this issue? If not I will be closing out this git issue tomorrow.

I suggest reopening this issue, it is not resolved since there is still no way to pass Group name and not Group ID in Azure's SAML 2.0 offering. Other SAML 2.0 SSO providers such as Okta, Jumpcloud, Google, etc - all support this.

Also this link doesn't work for me https://feedback.azure.com/forums/169401-azure-active-directory/suggestions/38483242-option-to-show-group-name-in-groups-claims

[sherifkayad]

I really can't understand why this feature is neither prioritized nor given enough attention by Azure. I totally believe that the group object IDs are totally worthless and one must have the option to get the names of the groups. That's how we have configured our on-prem SSO in the past and that's how we want to configure it in the future.

Any feedback, Azure folks??

[ianburrowes]

In case it helps, I have a rough work-around for this issue that may help others in the situation where they really want to send a group name claim rather than the cryptic group ID value.

The work-around is not scalable into large amounts or constantly changing groups, but if you know your users will be in a fixed predetermined list of groups, (e.g.: that determines permissions levels for your SAML app) you can do the following.

Let's say your users will all be in one of three Azure AD security groups:

• MyApp_Users
• MyApp_PowerUsers
• MyApp_Admins

You create a new claim, and in it, create as many claim conditions as there are groups above. In this case: 3.

Your first claim condition is filtered (scoped) to members of the MyApp_Users group.

You then transform the claim with the following settings:

• Transformation: IfNotEmpty()
• Input: user.userprincipalname
• Output: "MyApp_Users"

So, what have we just created? The rule tests if the field user.userprincipalname has a value. (All Azure AD Users must have a UPN, so this will always be true). Then, we are supplying the output "MyApp_Users", however are only sending this claim when the user is in the AD group "MyApp_Users".

Repeat this rule for the other groups, and you will have working solution. While it is not feasible to create a rule like this for every AD group, it may help in specific scenarios.

Hopefully Microsoft will implement passing the group name as a claim value in future!