Azure OAuth2 Code Flow - no groups claim in access token (and no "hasgroups" either)

Question

I am using OAuth2 Code flow and trying to get the user's groups back in my access token. Everything I'm reading says I should see either a groups claim or a hasgroups claim, but I see neither.

I've altered the following fields in the App registration manifest for my client app:

"groupMembershipClaims": "SecurityGroup",
"optionalClaims": {
        "idToken": [],
        "accessToken": [
            {
                "name": "groups",
                "source": null,
                "essential": false,
                "additionalProperties": [
                    "dns_domain_and_sam_account_name"
                ]
            }
        ],
        "saml2Token": []
    },

Here is an example of my querystring for the login redirection url (login.microsoftonline.com)...

client_id=<clientId>
&response_type=code
&redirect_uri=<redirectUri>
&response_mode=query
&scope=<appScope>%20offline_access
&state=67890

Here is an example of my querystring for my requesting the token using authCode (login.microsoftonline.com/{tenantId}/oauth2/v2.0/token)

client_id=<clientId>
&scope=<uriEncodedScopes>%20offline_access
&redirect_uri=<uriEncodedRedirectUri>
&code=<authCode>
&client_secret=<uriEncodedClientSecret>
&grant_type=authorization_code

Everything is working great, but I can't figure out how to get groups info back in my token.

UPDATE

I added %20openid to my scope in both urls, and now I'm getting an id_token, but I still don't see "groups" or "hasgroups" in either token.

UPDATE

I just added the same manifest changes (groupMembership, optionalClaims) to my API App Registration (instead of my client) - the API that exposes the scope, and I see no change whatsoever. Access token and Id token don't have any reference to groups at all.

Answer 1

Per my test, it should work. And you just need to configure the groupMembershipClaims, optionalClaims in your API App Registration, refer to the reason below.

You could refer to my test sample below, I tried with a work account or personal account, both work.

Request the authorization code(the api://3e013fde-xxxxxxa422f3/User.Test is my API permission):

https://login.microsoftonline.com/<tenant-id>/oauth2/v2.0/authorize?
client_id=xxxxxxxxxxxxxxx
&response_type=code
&redirect_uri=https://localhost
&response_mode=query
&scope=openid offline_access api://3e013fde-xxxxxxa422f3/User.Test
&state=12345

Request the token:

Decode the token in https://jwt.io/, the groups claim is included.

---

Note:

My client App and API App are both created today, I suppose there are may some difference between the app created in the old App Registration(it is not existing in the portal currently), app registration portal(it has been moved to the new App Registrations), new App Registration(theApp Registrationin portal currently).

And from this doc:

There is also a weird thing during my test, when I create a new API App Registration, just set "groupMembershipClaims": "SecurityGroup" without setting optionalClaims, the manifest will be like below.

"groupMembershipClaims": "SecurityGroup",
"optionalClaims": {
        "idToken": [],
        "accessToken": [],
        "saml2Token": []
    }

Then the Access token will not include groups, the ID token has the groups.

If I set it with yours, the Access token will have the groups.

"groupMembershipClaims": "SecurityGroup",
"optionalClaims": {
        "idToken": [],
        "accessToken": [
            {
                "name": "groups",
                "source": null,
                "essential": false,
                "additionalProperties": [
                    "dns_domain_and_sam_account_name"
                ]
            }
        ],
        "saml2Token": []
    }

But when I set it return to

"groupMembershipClaims": "SecurityGroup",
"optionalClaims": {
        "idToken": [],
        "accessToken": [],
        "saml2Token": []
    }

The Access token still has the groups.

From the portal - Token configuration (preview) and this doc - Configure group claims for applications with Azure Active Directory (Public Preview), the feature should be in preview, it may be a bug(I am not sure).

So in conclusion, I recommend you to use two new Apps to have a try.