Azure Active Directory Groups Claim for Application

Question

We're using Active Directory Groups for different customers and their employees. It's straightforward configuring a group accessToken claim for authenticated users. Now, when an app does not act in behalf of a user but in behalf of itself (client_credentials flow), and the app is member in an AD Group, is it possible to configure an accessToken claim for the application's membership? If so, how?

I have tried to configure it in Azure/Active Directory/Token configuration but it gives only the group of users that are authenticated and not that of the app itself.

Thank you.

Answer 1

I think there is a problem with your description. You said in the question: and the app is member in an AD Group. As far as I know, the members of a group can only be users, organization contacts, service leaders or other groups, and there is no application.

I think what you want to say is that you assigned users or groups to the application (please correct me if my understanding is wrong), like this:

As far as I know, there is no group claim for application tokens(The user token has a group claim, as you said in the question),because application is not a member of group. If you want to get the group assigned to the application, MS graph api is a good choice:

https://graph.microsoft.com/beta/servicePrincipals/{id}/appRoleAssignedTo

You need to replace {id} with Object ID: