Azure AD JWT token is missing group information

Question

We are using Azure AD Authentication for our application that is developed using MEAN stack. Front end (Angular) is using adal-angular library for authentication and Server (Node JS) is using passport-azure-ad for authorization using bearer strategy.

So when front end calls backend API, it sends bearer token to the back end. And then on the server passport-azure-ad library parse and validates the token.

I have already configured Azure tenant with Application, group and members. Members get authenticated by Azure AD and can access the application with no issue. Now I also want to perform authorization based on the group that member belongs to. As per Azure documentation (Supported Tokens And Claim Types) the JWT token that azure issues has information about the authenticated user's group. In order to receive group information as part of JWT token we have to enable group claims for the application.

So I have followed the steps below to enable it:

1>    Download the application manifest

2>    Updated "groupMembershipClaims" to "SecurityGroup"

3>    Uploaded manifest

However when I verify the received JWT token, now it has one additional property “hasgroups=true”. I do not see any property called “groups” with group object id. This property should have been the part of JWT token (See Here)

So either passport-azure-ad library is not parsing “group” information or Azure is not sending “group” information.

Answer 1

Hello,
We are checking on the query and would get back to you soon on this.
I apologize for the inconvenience and appreciate your time and patience in this matter.
Regards,
Neelesh

Answer 2

Hi,

For the AUTHORITY, did you use https://login.microsoftonline.com/{tenant AD}/oauth2/token or https://login.microsoftonline.com/{tenant AD}/.well-known/openid-configuration?

Best regards,

Answer 3

i am using https://login.microsoftonline.com/{tenantID}/.well-known/openid-configuration

I am using passport-azure-ad module for server side authorization and its suggesting to use above url for metadata

https://github.com/AzureAD/passport-azure-ad

Answer 4

Azure is not sending the information.

Your front end is acquiring the token, using 'adal-angular', via the OAuth implicit flow. As this is done entirely client side, via a reply URL, the token is returned as a URL fragment. To prevent it overflowing the URL by being too long, Azure AD will not return groups for implicit flow, regardless of the manifest settings.

You would need to either:

1) Acquire the token server side, using Passport or similar. This will allow you to use a different OAuth flow, and have a larger token.

2) Make a call to the Graph API to retrieve the users groups.

This limitation is poorly documented, and seems to catch people out frequently.

Answer 5

How would you get the token server side? I am using Azure AD to authenticate a single page web app. Do you have a link to some details on that flow?
 Currently I am using OpneId

Answer 6

Hi Thanks for knowledge 

Can you tell me how to use graph API ?

I have tried https://graph.microsoft.com/beta/users/UPN/transitiveMemberOf but I think I am missing something ?

Answer 7

Please Use MS Graph explorer to check the result.