'Azure B2C: How do I get "group" claim in JWT token

In the Azure B2C, I used to be able to get a "groups" claim in my JWT tokens by following Retrieving Azure AD Group information with JWT:

  • Open the old-school Azure manager (https://manage.windowsazure.com)
  • Register my application with B2C
  • Download the B2C manifest for the application
  • In the manifest, change the "groupMembershipClaims" entry to

    "groupMembershipClaims": "SecurityGroup",

  • Upload the changed B2C manifest again

The problem

This has worked well in the past (about a month ago, I believe...) but it doesn't anymore. See below for details...

What I've tried sofar

Plan A: Use Azure Manager

Follow the known-good recipe above.

Unfortunately that doesn't work anymore - I get the following error when this client tries to authenticate me with B2C:

AADB2C90068: The provided application with ID '032fe196-e17d-4287-9cfd-25386d49c0d5' is not valid against this service. Please use an application created via the B2C portal and try again"

OK, fair enough - they're moving us to the new Portal.

Plan B: Use Azure Portal

Follow the good old recipe, using the new Portal.

But that doesn't work either - when I get to the "download manifest" part, I cannot find any way to access the manifest (and Googling tells me it's probably gone for good...).

Plan C: Mix Azure Portal and manager

Getting a little desperate, I tried mixing plans A and B: register the app using the new Portal, then change the manifest using the old Azure Manager.

But no luck - when I try to upload the manifest, it fails with the message

ParameterValidationException=Invalid parameters provided; BadRequestException=Updates to converged applications are not allowed in this version.

Plan Z: Use the Graph API to retrieve group membership data

Just give up the "group" claim - instead, whenever I need group info, just query the B2C server using the Graph API.

I really, really don't want to do this - it would ruin the self-contained-ness of the access token, and make the system very "chatty".

But I've included it as a plan Z here, just to say: yes, I know the option exists, no I haven't tried it - and I'd prefer not to.

The question:

How do I get the "group" claim in my JWT token these days?

c++sharpazurejwtazure-ad-b2c


Sources

This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.

Source: Stack Overflow

Solution Source

Related Questions