Having trouble getting Azure AD user's groups

Question

I'm currently using node.js passport library to authenticate using the OIDC Strategy with an azure registered app using a client ID and secret.

http://login.microsoftonline.com/{org id}/v2.0/.well-known/openid-configuration

I am not having any trouble getting the user profile back of the person who logged in, but I am hitting a wall when trying to get the groups. In my app, I need to authorize the user based on their active directory groups. I am getting back this piece of json:

"_claim_names\":{\"groups\":\"src1\"},\"_claim_sources\":{\"src1\":{\"endpoint\":\"https://graph.windows.net/{org guid}/users/{user guid}/getMemberObjects\"}}

I'm not sure what I need to do using this to get the groups. I tried generating a bearer token, passing that in a header, and getting the groups but it says I am unauthorized using Postman. Do I need certain permissions in the app? Also why is it using graph.windows.net when I'm trying to use graph.microsoft.com?

Is there an easier way to do this once the user has logged in?

Answer 1

Overage indicator claim when user is member of many groups

The claim you're getting back as part of json shared in question is an overage indicator claim.

"_claim_names\":{\"groups\":\"src1\"},\"_claim_sources\":{\"src1\":{\"endpoint\":\"https://graph.windows.net/{org guid}/users/{user guid}/getMemberObjects\"}}

It means that the user is member of many groups and instead of including information about all the groups as part of token (which would make the token too big), you will need to query that information separately.

Read more about it here: Access Tokens Reference

How to get groups information?

Your application needs to make a separate call to Microsoft Graph API to get the groups information for user.

Relevant Microsoft Graph APIs

• user: getMemberObjects
• user: getMemberGroups
• Check member groups

Permissions Required by your application

Each of the API links above mention the required delegated or application permissions that are required as part of documentation.

You will need to update your app registration in Azure AD to require the relevant permissions (and also go through Admin consent, in case the permission required needs admin consent)

Token to call Microsoft Graph API

You mention that you've tried generating a bearer token, passing that in a header, but you got Unauthorized error.

Once you're done with the permission changes for your application, acquire a token specifically for Microsoft Graph API from your application. The bearer token used to access your application may not directly work with Microsoft Graph API.

Also make sure you go through Admin consent in case any of the permissions require Admin consent. If it's a single tenant application, "grant permissions" directly from azure portal by an administrator should work, in case of multi-tenant app you can use the Admin consent endpoint.

Code Sample: Here is a quick tutorial for calling Microsoft Graph using Node.js.. you may find other good ones as well.

Azure AD Graph API (graph.windows.net) vs Microsoft Graph API (graph.microsoft.com)

You have a valid question about the endpoint.. "Also why is it using graph.windows.net when I'm trying to use graph.microsoft.com?"

General recommendation is to use the newer Microsoft Graph API, unless the functionality/information you're looking for isn't available with Microsoft Graph and only Azure AD Graph API can help. Read more about recommendation and comparison here: Microsoft Graph or Azure AD Graph

Since information about groups is available in v1 endpoint for Microsoft Graph already (not beta), you should make use of Microsoft Graph API.

Here are a couple of related SO posts: SO Post 1 and SO Post 2