Can't get on-premise SIDs to be returned with my Azure Token

Question

I've spent quite a bit of time on this and can't figure out what I'm doing wrong but I've read numerous articles on how to return the on-premise sids but just can't get it to work.

These are some of the articles I've read (not all!):

Tutorial: Sign in users and call the Microsoft Graph API from a JavaScript single-page app (SPA) using auth code flow

Getting Authentication Access Tokens for Microsoft APIs

Checking Azure Active Directory group membership via MSAL in a SPA + Web APIs

I've created my app registration in Azure AD and I know it's working as expected as the token returned contains:

{
  ...
  "app_displayname": "My app", 
  "appid": "1234",
  "family_name": "Joe",
  "given_name": "Soap",
  "idtyp": "user",
  "ipaddr": "123.456.789.101",
  "name": "Joe Soap",
  ...
}

and all the information is correct but it just doesn't contain any "groups" claims as stated in some of these articles. I've checked Azure AD and I'm part of 28 groups. Some are 'Microsoft 365', some are 'Security Group' and some are mail related/distribution groups, so definitely not over the 500 where I've read it will return nothing and I should use another approach.

In the Manifest section, this is what I have:

...
"groupMembershipClaims": "SecurityGroup",
...
"optionalClaims": {
    "idToken": [
        {
            "name": "groups",
            "source": null,
            "essential": false,
            "additionalProperties": [
                "on_premise_security_identifier"
            ]
        }
    ],
    "accessToken": [
        {
            "name": "groups",
            "source": null,
            "essential": false,
            "additionalProperties": [
                "on_premise_security_identifier"
            ]
        }
    ],
    "saml2Token": [
        {
            "name": "groups",
            "source": null,
            "essential": false,
            "additionalProperties": [
                "on_premise_security_identifier"
            ]
        }
    ]
},

In terms of scopes, I've added the following:

'profile'
'User.Read'
'openid'

I've also tried adding the groups.readall

but to no avail. Still no groups claims returned or any other entries that look like it might be a list of SIDs.

Anyone has any ideas what I'm doing wrong? If I've left anything out, apologies and just ask away and I'll update my answer.

One last point. When I cleared my cache altogether, I get prompted with the Microsoft Sign-In but somehow, when I try to use my business (office 365) account, it won't let me log in but if I use my personal account, it does but the app registration used including the TenantId, ClientID, scopes, etc... are all from my Azure business account.

Thanks.

Answer 1

Note that: To get group claims in the access token, you must generate access token for your app or API not Microsoft Graph API. Refer this MsDoc

My Azure AD application manifest looks like below:

By doing the below the onprem SIDs will be displayed in your case.

I exposed an API and added a scope:

Granted Admin consent to the scope:

Generated access token by passing scope as api://ClientID/group.read by using below parameters:

https://login.microsoftonline.com/TenantID/oauth2/v2.0/token

client_id:ClientID
scope:api://ClientID/group.read
code:code
redirect_uri:https://jwt.ms
grant_type:authorization_code
client_secret:ClientSecret

When I decoded the access token, group claims are displayed successfully:

I generated access token by passing same scope as you:

scope: profile user.read openid

When I decoded the access token, group claims are not displayed as the access token is generated for other resource that is Microsoft Graph.