Azure AD does not return groups on claims

Question

I have an application registered on Azure AD. The application has been configured to include groups claim on Token Configuration section on Azure Portal. When I access to the application, follow the process to authenticate against AzureAD, and access to an Controller endpoint, I see that the Claims for the user property does not have the groups. Instead, I'm getting a property, hasgroups, defined with true.

I'm assigned to 89 groups, I don't know if there's any limitation about the number of groups and for that reason Azure change the claims (instead one for each group, it's emitting one with the boolean value I have told you).

This situation happens with an organization tenant. I have test the same with my own tenant on Azure and I'm getting the groups. But in my own tenant I'm assigned only to 2 groups. This is the reason I've highlighted the number of groups i belongs to in my organization.

Answer 1

There is a limitation to how many groups can be returned due to size limitations of tokens.

You must always be ready to query for user groups from MS Graph API, e.g. with:

• Get group members: https://learn.microsoft.com/en-us/graph/api/group-list-members?view=graph-rest-1.0&tabs=http
• Get user groups: https://learn.microsoft.com/en-us/graph/api/user-list-memberof?view=graph-rest-1.0&tabs=http
• Check group access for user: https://learn.microsoft.com/en-us/graph/api/user-checkmembergroups?view=graph-rest-1.0&tabs=http

If you get the hasgroups claim, you need to query for groups.