Auth0 Home Blog Docs

Azure AD : can't get groups for guest azure ad users

azure-ad

#1

I’ve got an Azure AD where some Guest users from another azure ad are added. Those guest account are added to group in the first ad.

In auth0, i’ve got a auzure ad connection to the first AD. When i log in with this connection in auth0 with a guest account, it seems i don’t receive the security groups but if i log in with an user directly in the first AD i receive them.

Is this a limitation of Azure AD or Auth0 ?


#2

The toggle you can enable in the Azure AD configuration to retrieve group information just triggers an additional call to the Graph API when querying the user information against Azure AD so it’s highly likely that the behavior you’re experiencing is coming from Azure AD not returning information for those users as part of that call. Having said that you check if you are able to obtain that information directly from the Graph API for the users in question in order to have more concrete information.


#3

From the test i’ve made, the graph API seems to expose the information.

I’ve called this route :
https://graph.windows.net/%%tenant%%.onmicrosoft.com/users/%%guest user ObjectId in tenant%%/$links/memberOf?api-version=1.6

And it returns the groups i’ve added the guest user in the azure ad.


#4

@jmangelo , I don’t know witch Graph API auth0 is calling but, i’ve been able to work around the problem with this rule :

    function (user, context, callback) {
        if (user.identities[0].provider !== 'waad')
            return callback(null, user, context);
    
        var aad_access_token = user.identities[0].access_token;
    
        // call Azure's graph api to get information about the user
        var baseUrl = 'https://graph.windows.net/' + user.tenantid + '/users/' + user.oid;
        console.log('baseUrl:' + baseUrl);
        var apiRequest = function (segment, nullEncoding, callback) {
            var options = {
                url: baseUrl + '/' + segment + '?api-version=1.6',
                headers: {
                    'Authorization': 'Bearer ' + aad_access_token
                }
            };
            if (nullEncoding) {
                options.encoding = null;
            }
            console.log('Requesting to ' + options.url);
            request(options, function (err, response, body) {
                if (err) {
                    console.log("Error when calling " + options.url);
                    console.log(err);
                }
    
                callback(err, response, body);
            });
        };
    
        var getMemberOf = function (cb) {
            apiRequest('memberOf', false, function (err, response, body) {
                if (!err && response.statusCode === 200) {
                    var memberOf = JSON.parse(body);
                    console.log(memberOf);
                    cb(memberOf, err);
                }
    
            });
        };
    
        getMemberOf(function (memberOf, err) {
    
            var filteredGroups = memberOf.value
                .filter(function (group) {
                    return group.objectType === 'Group';
                }).map(function (g) {
                    return g.displayName;
                });
    
            user.app_metadata = user.app_metadata || {};
            user.app_metadata.groups = filteredGroups;
    
            auth0.users.updateAppMetadata(user.user_id, user.app_metadata)
                .then(function () {
                    callback(null, user, context);
                })
                .catch(function (err) {
                    callback(err);
                });
        });
    }

#5