Reputation: 11284
Phantom Group Membership in Azure AD
I have a long-running application that uses FederatedAuthentication with Azure AD to manage claims-based identities. My application manifest is set to list all SecurityGroups for a user (so I can walk the list of groups they are members of).
Within that application I have a user that is a member of a single top-level group. That group is not a member of any other. Previously, when the user logged in, there would be only a single http://schemas.microsoft.com/ws/2008/06/identity/claims/groups value attached to their ClaimsPrincipal, correctly displaying the single group they are a member of.
As of recently (past few days) when my user logs in, there are two http://schemas.microsoft.com/ws/2008/06/identity/claims/groups values. One of these still corresponds to the group they are a member of, but the new one does not match the id of any visible group in my active directory (or any other object that I can see: no application ID, and no other user ID).
Where could this phantom group membership have come from, and is there any way I can remove it?
Update - groupMembershipClaims in the Application manifest is set to SecurityGroup (not All).
Upvotes: 0
Views: 248
Answers (1)
Reputation: 27578
In my testing , the group claims will return a collection of the Groups and DirectoryRoles that current user is a member of , the result is similar to use memberOf azure ad graph api :
https://graph.windows.net/myorganization/users/{user_id}/$links/memberOf?api-version
The result with above api:
Even if i set groupMembershipClaims to SecurityGroup , i get the same three records(2 groups and 1 directory role) in my token with group claims . My account is a global administrator in my AAD . If i set the account to user directory role(non admin role) , then i only get two group records in my group claims .
With azure ad graph api , to get all of the groups that the user has direct or transitive membership in, we could call the getMemberGroups function.
If you want group claims only return groups that the user has direct or transitive membership in , you could send your feedback in AAD userVoice .
Upvotes: 1
Related Questions
- Azure AD does not emit group claims
- Azure AD ID token returning duplicate AD groups in ID token
- Unable to get Azure AD Groups to appear in user claims
- Azure group claim returns Object ID - Need group name
- Azure AD issues claims security groups names
- Azure Active Directory - user's group claims are not up-to-date
- After user authentication from Azure AD, all claims(group details) are not coming, happening for some users
- Azure AD does not return groups on claims
- Groups overage claim
- Azure ad group membership claims