Advanced options for group_membership_claims in AD application

[vittoriocanilli]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritise this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritise the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Description

Currently the group_membership_claims of an Azure AD application can be set to either None, SecurityGroup, DirectoryRole, ApplicationGroup or All. I would like to be able to set the advanced options, as I need only groups with a certain prefix; I can do it on the Azure portal, as shown on this picture:

New or Affected Resource(s)

• azuread_application

Potential Terraform Configuration

This is just a possible suggestion of how the setup could be made:

resource "azuread_application" "example" {
  display_name     = "example"
  group_membership_claims = ["All"]
  group_membership_claims_advanced_opts {
    filter_groups {
      attribute_to_ match = "display_name"
      match_with = "prefix"
      string = "some-prefix-"
  }
}

References

• https://learn.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-fed-group-claims#set-advanced-options

[drdamour]

@vittoriocanilli FYI the filtering settings aren't asscoiated with the application registry (azuread_application), they are associated with the service principal /enterprise application so they can be specific to each tenant.

[vittoriocanilli]

@drdamour thanks for pointing this out. So I guess that my Potential Terraform Configuration should be changed into:

resource "azuread_application" "example" {
  display_name     = "example"
  group_membership_claims = ["All"]
  ...
}

resource "azuread_service_principal" "example-sp" {
  application_id   = azuread_application.example
  group_membership_claims_advanced_opts {
    filter_groups {
      attribute_to_ match = "display_name"
      match_with = "prefix"
      string = "some-prefix-"
  }
  ...
}

For me it would still work perfectly. Unfortunately I could not find anything helpful for my issue in the documentation of azuread_service_principal (AzureAD 2.41.0).

[drdamour]

man...i dug into this a bit and got pretty stumped. It appears the portal refers to this as something called defaultClaimIssuancePolicy:

"defaultClaimIssuancePolicy": {
        "version": 1,
        "defaultTokenType": "JWT",
        "allowPassThruUsers": "true",
        "includeBasicClaimSet": "True",
        "claimsSchema": [],
        "claimsTransformations": [],
        "groupFilter": {
            "matchOn": "samAccountName",
            "type": "prefix",
            "value": "App "
        },
        "issuerWithApplicationId": false,
        "audienceOverride": null,
        "crossTenantRestrictions": true,
        "requireCustomSigningKey": true
    },

which kinda sounds like a TokenIssuancePolicy https://learn.microsoft.com/en-us/graph/api/resources/tokenissuancepolicy?view=graph-rest-beta and kinda sounds like a ClaimsMappingPolicy think it's some older concept (it's referenced in ADFS docs) that has been superceeded maybe?

I was able to get a policy created and applied with

resource "azuread_claims_mapping_policy" "limit_groups_to_prefix_of_app" {
  definition = [
    jsonencode(
      {
        TokenIssuancePolicy = {
          Version = 1,
          ClaimsSchema = []
          ClaimsTransformations = []
          GroupFilter = {
            MatchOn = "samAccountName"
            Type = "prefix"
            Value = "App "
          }
        }
      }
    ),
  ]
  display_name = "Limit Groups to Prefix of App"
}

resource "azuread_service_principal_claims_mapping_policy_assignment" "limit_groups_to_prefix_of_app" {
  claims_mapping_policy_id = azuread_claims_mapping_policy.limit_groups_to_prefix_of_app.id
  service_principal_id     = azuread_service_principal.vnd.id
}

and it worked...but it does NOT show in portal as expected, instead it says it was overriden by policy

haven't got as far as manually assigning a token issuance policy to the service principal yet cause gottne install beta Ms graph powershell to try, will try later tonight, but suspect it won't show up but will still work...in which case what this request may be is a azuread_token_issuance_policy resource and a azuread_service_principal_token_issuance_policy_assignment resource

[drdamour]

looking deeper it seems token issuance policies can only be assigned to applications, not service principals so that can't be the right thing...this stuff is pretty dense

[valentinahermann]

any updates on this topic? We are facing the same issue. Thx.

[edauti-op]

Hi @vittoriocanilli, did you find a solution/workaround so far? Thank you!

[vittoriocanilli]

Hi @edauti-op unfortunately I didn't find any solution/workaround: I still have to insert that prefix manually 😞