Open kmanchik opened 2 years ago
If I make this change (from "All Groups") I just get the following error;
Failed to authenticate: no attribute with name "Group": [http://schemas.microsoft.com/identity/claims/tenantid http://schemas.microsoft.com/identity/claims/objectidentifier http://schemas.microsoft.com/identity/claims/displayname http://schemas.microsoft.com/identity/claims/identityprovider http://schemas.microsoft.com/claims/authnmethodsreferences http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name email]
...But It might be because we got the "free" Azure AD, that doesnt support groups in applications
...But It might be because we got the "free" Azure AD, that doesnt support groups in applications
What do your AAD App's SSO/SAML settings look like? Do you have user.groups
mapped?
Also, how many AAD groups are you in? Documentation implies that this issue kicks in at 150 groups (if you're in AD-AAD Hybrid, not sure how the synced AD groups/any nesting there impacts this number).. But it looks like you can get a count by visiting Graph Explorer and running Groups
> all groups I belong to (direct or indirect membership) with count
(uri: https://graph.microsoft.com/v1.0/me/transitiveMemberOf/microsoft.graph.group?$count=true) then checking the count attribute.
I have also needed to change the group claim from "All Groups" to "Groups assigned to the application" to get this to work
Summary
What change do you think needs making?
Update below lines in the documentation as highlighted
Add group claim | Which groups: Groups assigned to the application| Source attribute: Group ID | Customize: True | Name: Group | Namespace: | Emit groups as role claims: False
What is the issue?
Why the change is required?
Helpful documents: