Enterprise Mobility and Security Blog


Howdy folks,

Today I’m pleased to announce the preview release of two new features of the Azure AD authorization platform: group claims and application roles.

As of Monday (12/15), 5565 third party and custom LOB applications (note: this number does not include the 2400+ SaaS apps in the Azure AD App Gallery) were being actively used with Azure AD and support for these additional claims is one of the top requests we’ve received from the developers of those applications. These features make it simple for developers to integrate access management of their cloud applications with groups in Azure Active Directory.

  • Groups claim: Group claims make it easy for custom applications to support sharing across groups of other users in an organization. These kinds of applications can now easily use the group information in Azure AD tokens to make it easy for users to share access with the people they work with, as represented by the groups in their organization’s Active Directory. This simplifies sharing and access management by eliminating the need to manage group membership in multiple apps.


  • Application roles: Cloud applications can now use Azure AD for roles-based access control (RBAC). All developers need to do is declare a set of roles in Azure AD that the application needs for authorization. Admins of the customer’s organization can then assign those roles to users and groups using the Azure management portal. At sign-in time, Azure AD determines what application roles are assigned to the user, and includes a roles claim in the token. Applications can inspect the token and use the roles claim to authorize the user. Administrators will love this feature because the data about who has what type of access to which application is all stored in one central place (Azure AD).

To learn more about these features, read on!

Groups Claim

When the groups claim is enabled for an application, Azure AD includes a claim in the JWT and SAML tokens that contains the object identifiers (objectId) of all the groups to which the user belongs, including transitive group membership.

To ensure that the token size doesn’t exceed HTTP header size limits, Azure AD limits the number of objectIds that it includes in the groups claim. If a user is member of more groups than the overage limit (150 for SAML tokens, 200 for JWT tokens), then Azure AD does not emit the groups claim in the token. Instead, it includes an overage claim in the token that indicates to the application to query the Graph API to retrieve the user’s group membership.

Conceptually, this is similar to Active Directory’s capability of including token groups in Kerberos tickets and the file server application allowing users to share access to files with AD security groups.

See the new groups claim sample published in the Azure AD samples github repo: https://github.com/AzureADSamples/WebApp-GroupClaims-DotNet

Read this deep dive post to learn how you can implement groups claim for your app: http://www.dushyantgill.com/blog/2014/12/10/authorization-cloud-applications-using-ad-groups/

Application Roles

The global administrator or the user administrator of an Organization can assign users and groups to applications in Azure AD. With this preview release, the assignment can be done to a specific role of the application. Today, users inherit role assignments only from direct group membership. In a future release we will enable assignment of application roles to users via nested group membership also.

Further, we have integrated application roles with Azure AD common consent framework: Azure AD consent framework already enables web and mobile applications to request for OAuth2Permissions to WebAPIs (e.g. Office 365 APIs). Now, Azure AD also allows web applications and web APIs that act as clients to request for application roles of resource applications to be assigned to them.

See the new application roles sample published in the Azure AD samples github repo: https://github.com/AzureADSamples/WebApp-RoleClaims-DotNet

Read this deep dive post to learn how you can implement application roles for your app: http://www.dushyantgill.com/blog/2014/12/10/roles-based-access-control-in-cloud-applications-using-azure-ad/

I hope you’ll find these new feature useful for building applications!

And as always, we’d love to receive any feedback or suggestions you have.

Best Regards,

Alex Simons (Twitter: @Alex_A_Simons)

Director of Program Management

Microsoft Identity and Security Systems Division