Authorization Policy Claims Groups Referal

Universal Dashboard Universal Dashboard Help
1

So Now I have authorization policies working I thought I would get it hooked up to AzureAD claims however it doesn’t seem to be working.

I think this is because we have a lot of groups synced to Azure AD from AD so there are too many to fit in the token so it contains a referral instead like this.

Issuer         : https://sts.windows.net/a310a7f9-f31d-4633-9b97-bcf7564b6381/
OriginalIssuer : https://sts.windows.net/a310a7f9-f31d-4633-9b97-bcf7564b6381/
Properties     : {}
Subject        : System.Security.Claims.ClaimsIdentity
Type           : _claim_names
Value          : {"groups":"src1"}
ValueType      : JSON

Issuer         : https://sts.windows.net/a310a7f9-f31d-4633-9b97-bcf7564b6381/
OriginalIssuer : https://sts.windows.net/a310a7f9-f31d-4633-9b97-bcf7564b6381/
Properties     : {}
Subject        : System.Security.Claims.ClaimsIdentity
Type           : _claim_sources
Value          : {"src1":{"endpoint":"https://graph.windows.net/a310a7f9-f31d-4633-9b97-bcf7564b6381/users/d6989529-91f
                 1-4bd5-a2c5-e5ed57616b27/getMemberObjects"}}
ValueType      : JSON

Am I correct in this assumption?

2

Looks like it.

In larger organizations the number of groups a user is a member of may exceed the limit that Azure Active Directory will add to a token. 150 groups for a SAML token, and 200 for a JWT. This can lead to unpredictable results. If this is a potential issue we recommend testing and if necessary waiting until we add enhancements to allow you to restrict the claims to the relevant groups for the application.

1 Like