KB0068 - Group Membership Claims are Missing when using OpenID Connect (OIDC) and Azure Entra ID (Azure AD)

KB0068 - Group Membership Claims are Missing when using OpenID Connect (OIDC) and Azure Entra ID (Azure AD)

Scope

This issue affects users wishing to retreive group membership claims from Azure Entra ID (formerly, Azure Active Directory) using OpenID Connect (OIDC) authentication. 

Problem

Not group membership claims are available within Apps while using the $ClaimsPrincipal variable. Claims are also not present when viewing the claim information in Security \ Roles. 

Root Cause

Azure Entra ID requires app registrations to allow for group membership claims to be sent to clients during authentication. 

Solution

Within the Azure Entra ID app registration, you can view the manifest by clicking the Manifest link under the Manage section. Within the JSON displayed, there will be an option named "groupMembershipClaims". Setting this value to "All" will ensure that all the claims for the user will be sent to the client. 


    • Related Articles

    • OpenID Connect does not work with HTTP

      Version: Any Problem: When configuring PowerShell Universal OpenID Connect authentication, the server will return a 500 error when attempting to authenticate.  Root Cause Chrome 80 introduced new settings that require cross-site cookies to be secure. ...

    • KB0058 - PowerShell Universal Browser Times Out Before Session Timeout When Using OIDC

      Affected Versions - All Support Versions Problem Setting the session timeout in appsettings.json does not have an affect on how soon the user is logged out from their session. Root Cause When using OpenID Connect, the -UseTokenLifetime parameter ...

    • KB0079 - gRPC Issues when using PowerShell Universal v5 Cmdlets

      Scope Users running PowerShell Universal v5 or later that are attempting to call cmdlets that interact with PowerShell Universal management APIs. Problem Various errors from PowerShell Universal cmdlets referring to gRPC. Root Cause The use of gRPC, ...

    • KB0033 - How to use Connect-PSUServer

      Purpose The purpose of this article is to explain how to use the PowerShell cmdlet Connect-PSUServer to connect to your PowerShell Universal instance. Background Connect-PSUServer is part of the PowerShell Universal PowerShell module available on the ...

    • KB0026 - Authentication failure when connecting to BitBucket using a HTTP Access Token

      Applicability This article applies to any version of PowerShell Universal with git sync enabled. Symptom When attempting to synchronize with a BitBucket git repository using a HTTP Access Token generated from the BitBucket repository, it fails to ...