Get Group Names instead of Group IDs

[Bastika07]

Describe the problem

If you have JWT group sync enabled in the self hosted version and are using Entra ID as the IDs, you will get only the group ids, but not the group names

To Reproduce

Steps to reproduce the behavior:

Expected behavior

Se Groupnames instead of Groupids

Are you using NetBird Cloud?

Self Host

NetBird version

0.27.6

NetBird status -d output:

If applicable, add the `netbird status -d' command output.

Screenshots

Additional context

[mlsmaycon]

Hello @Bastika07, this seems to be a limitation from Entra ID. The NetBird service is just reading the groups provided by the identity provider; we've reports from different users with similar issues, but so far, no one has shared if there is a solution for it in Azure.

[Bastika07]

Can you use for this a query with the graph rest api? https://learn.microsoft.com/en-us/graph/api/user-list-memberof?view=graph-rest-1.0&tabs=http#http-request https://learn.microsoft.com/en-us/graph/api/resources/groups-overview?view=graph-rest-1.0&tabs=http

I am no coding expert, so can´t help that much.

[Zaunei]

It's possible to get the group names with Entra ID in Netbird, but it's really hidden and only works then groupMembershipClaims is set to ApplicationGroup. Search for cloud_displayname in this documentation about the group claims: https://learn.microsoft.com/en-us/entra/identity-platform/optional-claims#configure-groups-optional-claims

[florian-obradovic]

I configured my App Registration in Entra ID as the following and it works:

Keep in mind that you can't select cloud_displayname from the ui and you have to edit the manifest.

"groupMembershipClaims": "ApplicationGroup",

"optionalClaims": {
        "idToken": [
            {
                "name": "groups",
                "source": null,
                "essential": false,
                "additionalProperties": [
                    "cloud_displayname"
                ]
            }
        ],
        "accessToken": [
            {
                "name": "groups",
                "source": null,
                "essential": false,
                "additionalProperties": [
                    "cloud_displayname"
                ]
            }
        ],
        "saml2Token": [
            {
                "name": "groups",
                "source": null,
                "essential": false,
                "additionalProperties": [
                    "cloud_displayname"
                ]

[florian-obradovic]

If you rename groups in Entra ID, the'll remain in Netbird. Can we track object-id in Netbird and show cloud_displayname or SAMAccountName for onPremise synched groups?

[florian-obradovic]

Works great, even with groups synched from onprem. active directory:

"optionalClaims": {
        "idToken": [
            {
                "name": "groups",
                "source": null,
                "essential": false,
                "additionalProperties": [
                    "cloud_displayname",
                    "sam_account_name"
                ]
            }
        ],
        "accessToken": [
            {
                "name": "groups",
                "source": null,
                "essential": false,
                "additionalProperties": [
                    "cloud_displayname",
                    "sam_account_name"
                ]
            }
        ],
        "saml2Token": [
            {
                "name": "groups",
                "source": null,
                "essential": false,
                "additionalProperties": [
                    "cloud_displayname",
                    "sam_account_name"
                ]
            }