Azure AD ID token returning duplicate AD groups in ID token

Question

I am using Azure AD for IAM on my application. The users are onboarded to a group(AD group) and the group is assigned azure app roles from the enterprise application, azure app roles define the functionality the user of the group can perform. I want both AD group and azure app roles to be returned in the Id token and I am able to fetch both of them but I am getting duplicated groups in that and the number is dependent on the number of app roles assigned to it, because of which my token size is increasing unnecessarily.

For example. I have group Application-Admin, and I have 3 app roles assigned to it via enterprise application. PFB the sample token

groups: [Application-Admin, Application-Admin, Application-Admin],
roles: [ABC, BCD, UDF]

I have a couple of questions

1. How can I avoid duplicated groups to be returned in the ID token
2. Is there any limit to the size of the ID token which Azure AD can generate?

Answer 1

I was able to test this in my lab and got it to work without duplicating the group name. It's "Select group types to include in Access, ID, and SAML tokens" parameter which causes the group name duplication.

Kindly try the following claim configuration:

The output would show 1 group name with 3 roles assigned:

For you question related to token size, there is no size limit for JWT token however it can have a maximum of 200 groups in a claim. If a user is member of more groups than the overage limit (150 for SAML tokens, 200 for JWT tokens), then Azure AD does not emit the groups claim in the token. Instead, it includes an overage claim in the token that indicates to the application to query the Microsoft Graph API to retrieve the user's group membership. Ref link https://learn.microsoft.com/en-us/azure/active-directory/develop/id-tokens#groups-overage-claim

Thanks