KB0068 - Group Membership Claims are Missing when using OpenID Connect (OIDC) and Azure Entra ID (Azure AD)

KB0068 - Group Membership Claims are Missing when using OpenID Connect (OIDC) and Azure Entra ID (Azure AD)

Scope

This issue affects users wishing to retreive group membership claims from Azure Entra ID (formerly, Azure Active Directory) using OpenID Connect (OIDC) authentication. 

Problem

Not group membership claims are available within Apps while using the $ClaimsPrincipal variable. Claims are also not present when viewing the claim information in Security \ Roles. 

Root Cause

Azure Entra ID requires app registrations to allow for group membership claims to be sent to clients during authentication. 

Solution

Within the Azure Entra ID app registration, you can view the manifest by clicking the Manifest link under the Manage section. Within the JSON displayed, there will be an option named "groupMembershipClaims". Setting this value to "All" will ensure that all the claims for the user will be sent to the client. 


    • Related Articles

    • OpenID Connect does not work with HTTP

      Version: Any Problem: When configuring PowerShell Universal OpenID Connect authentication, the server will return a 500 error when attempting to authenticate.  Root Cause Chrome 80 introduced new settings that require cross-site cookies to be secure. ...

    • KB0058 - PowerShell Universal Browser Times Out Before Session Timeout When Using OIDC

      Affected Versions - All Support Versions Problem Setting the session timeout in appsettings.json does not have an affect on how soon the user is logged out from their session. Root Cause When using OpenID Connect, the -UseTokenLifetime parameter ...

    • KB0033 - How to use Connect-PSUServer

      Purpose The purpose of this article is to explain how to use the PowerShell cmdlet Connect-PSUServer to connect to your PowerShell Universal instance. Background Connect-PSUServer is part of the PowerShell Universal PowerShell module available on the ...

    • KB0026 - Authentication failure when connecting to BitBucket using a HTTP Access Token

      Applicability This article applies to any version of PowerShell Universal with git sync enabled. Symptom When attempting to synchronize with a BitBucket git repository using a HTTP Access Token generated from the BitBucket repository, it fails to ...

    • KB - 1008 Tax/VAT Exempt at checkout

      Scope In this article you will learn how to make a tax-free purchase at checkout. Problem How do you remove the Tax/VAT on an order? Impact Orders will then need to be refunded for tax if processed without the tax deducted. Resolution Follow the ...