Azure AD group claim authorization not working for me

My existing dashboard has been using Azure AD for the login method. I’m adding new pages that I want restricted to our help desk. I’ve created an authorization policy and applied it to the first restricted page. It successfully keeps the page from showing up, but for everyone, regardless of group membership. When I type the URL in to the page after login, I can see the page navbar and footer, but no content

So far I’ve validated my test users are showing in the group in Azure AD and the objectID of the group is correct in my script. I’ve also been using the troubleshooting tips from this post on GitHub:

I still haven’t figured out how to get the tokeb to parse it out. I tried the .NET object in PowerShell, but it didn’t recognize it. Trying to debug in PS returned a ‘cannot debug default runspace’ error (I’m sure I’m doing it wrong).

When I login in IE 11 with the debugger on and the ‘Wait-Debugger’, I do see a very long hash returned, but it’s so fast I can’t screenshot it. It returns to a blank screen after login.

I’m using version 2.1.0 Enterprise on IIS 10

my script:
$authPolicy = New-UDAuthorizationPolicy -Name “techs” -Endpoint {


Wait-Debugger #when troubleshooting

$User.HasClaim(“groups”, “3be93384-fce8-43bd-8e42-8dbdd41d750e”)


$loginPage = New-UDLoginPage -AuthenticationMethod $Method -Logo $Logo `

-PageBackgroundColor ‘#000000’ -WelcomeText ‘MULTI PASS’ `

-LoginFormBackgroundColor ‘#000000’ -LoginFormFontColor “#000000” -AuthorizationPolicy $authPolicy

Start-UDDashboard -Dashboard $login -Wait -AutoReload -PublishedFolder $folder -Endpoint $endpoint -Certificate $cert

Forgot to add: My Azure app has group read permissions set

When you are testing this you are running it all in IIS?

You will need to attach to the UD process if you are doing that.

You should be able to do that with:

Get-Process UniversalDashboard.Server | Enter-PSHostProcess

Once you do that, you should be able to call Get-Runspace and Debug-Runpsace to debug the correct runspace. From there, you should be able to see what the $User object’s values are.

I got this so far. When I try to call $user variable, the shell hangs and the browser goes into the home page. Still researching more debugging techniques (all new to me).

Found the problem. The “groupMembershipClaims” field in the AAD app manifest was set to null. Set it to “SecurityGroup” and everything is working now.