Entra AD - How can I get AD group information?
How can get the AD groups an Entra login is in?
9 Replies
I believe this comes across when you turn on the setting for it the connectors configuration.
I have those settings ticked, but where does it go how can you then find it for your user?
Is the group information meant to be in the token?
Because I can't see it
Do you need to add groups on the Entra side that allow this to be visable?
Sorry I can't help much further as I don't use the groups functionality, but yes I would imagine that if AAD isn't sending the groups across that Kinde would need that data. I'm not sure what claims they are mapping from AAD for it.
Me either and the documentation doesn't really tell me the only bit I think does is this
Access group info in tokens
Link to this section
ID token - ext_provider > claims > profile > groups
Access token - ext_groups
But I have no idea what that eludes too
I believe there is JSON data in
https://graph.microsoft.com/v1.0/$metadata#users/$entity
(which gets added when you tick include extended user profile). Could the groups be inside that JSON? (The claim contains a separate JSON payload IIRC)I don't see my groups in there
I have gone though the documentation from Kinde and MS many times ticked and unticked boxes to see if I can get the infromation
I'm assuming it in the token which I look up jwt.io but I can't see it there
The graph app manifest for my tenent is this
"optionalClaims": {
"accessToken": [
{
"additionalProperties": [],
"essential": false,
"name": "groups",
"source": null
}
],
"idToken": [
{
"additionalProperties": [],
"essential": false,
"name": "groups",
"source": null
}
],
"saml2Token": [
{
"additionalProperties": [],
"essential": false,
"name": "groups",
"source": null
}
]
},
So it all looks correct and I have ticked all the boxes in Kinde to able to use this too
Ok so I have found the problem (I'm using the option: Use your own sign-up and sign-in screens) for some reason with the Entra Login it doesn't return the added token information
Ok I have worked out where the issues is
So I recently starting using the Entra ID login as our clients have request this. I noticed I wasn't getting the ext_group (group) information in the access token. I'm using my own login option which I have done already with google, microsoft etc and have no issues having said that I haven't tried sending back ext information on the token with those options.
So I get the correct information back in the access token {ext_group: [guids]} when I use the kinde powered login page. On my custom login page I'm using the react {login} hook.
The react library using this library to setup the provider but the provider automatically sets the login url to https://{domain}/oauth2/auth using this url the access token doesn't return the extra information.
The kind login page uses https://{domain}/authentication/authentication_social as the login url which does return the correct information in the token.
I'm wondering if we would be able to change or add a way to use this url with the react login hook?
Or fix the /oauth2/auth kinde backend to return the correct token as it does on the /authentication/authentication_social url.
Hi @Neurath ,
Thanks for the detailed explanation. I'll take a look at this and investigate further to see how we can resolve the issue with the token information on your custom login page.
I'll get back to you shortly with an update.
Best regards,
Ages