-
Notifications
You must be signed in to change notification settings - Fork 294
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Advanced options for group_membership_claims in AD application #1081
Comments
@vittoriocanilli FYI the filtering settings aren't asscoiated with the application registry (azuread_application), they are associated with the service principal /enterprise application so they can be specific to each tenant. |
@drdamour thanks for pointing this out. So I guess that my Potential Terraform Configuration should be changed into: resource "azuread_application" "example" {
display_name = "example"
group_membership_claims = ["All"]
...
}
resource "azuread_service_principal" "example-sp" {
application_id = azuread_application.example
group_membership_claims_advanced_opts {
filter_groups {
attribute_to_ match = "display_name"
match_with = "prefix"
string = "some-prefix-"
}
...
} For me it would still work perfectly. Unfortunately I could not find anything helpful for my issue in the documentation of azuread_service_principal (AzureAD 2.41.0). |
man...i dug into this a bit and got pretty stumped. It appears the portal refers to this as something called defaultClaimIssuancePolicy:
which kinda sounds like a TokenIssuancePolicy https://learn.microsoft.com/en-us/graph/api/resources/tokenissuancepolicy?view=graph-rest-beta and kinda sounds like a ClaimsMappingPolicy think it's some older concept (it's referenced in ADFS docs) that has been superceeded maybe? I was able to get a policy created and applied with
and it worked...but it does NOT show in portal as expected, instead it says it was overriden by policy haven't got as far as manually assigning a token issuance policy to the service principal yet cause gottne install beta Ms graph powershell to try, will try later tonight, but suspect it won't show up but will still work...in which case what this request may be is a azuread_token_issuance_policy resource and a azuread_service_principal_token_issuance_policy_assignment resource |
looking deeper it seems token issuance policies can only be assigned to applications, not service principals so that can't be the right thing...this stuff is pretty dense |
any updates on this topic? We are facing the same issue. Thx. |
Hi @vittoriocanilli, did you find a solution/workaround so far? Thank you! |
Hi @edauti-op unfortunately I didn't find any solution/workaround: I still have to insert that prefix manually 😞 |
Community Note
Description
Currently the
group_membership_claims
of an Azure AD application can be set to either None, SecurityGroup, DirectoryRole, ApplicationGroup or All. I would like to be able to set the advanced options, as I need only groups with a certain prefix; I can do it on the Azure portal, as shown on this picture:New or Affected Resource(s)
Potential Terraform Configuration
This is just a possible suggestion of how the setup could be made:
References
The text was updated successfully, but these errors were encountered: