AzureAD Groups not returned: 18.0.20201120.1245

Question

AzureAD Groups not returned: 18.0.20201120.1245

Closed this issue 4 years ago · 2 comments

I created a Security group in Azure AD but it is not returned by AzureCP.
I have "Retrieve Azure AD groups" checked in the configuration.

I also tried checking "Return security-enabled groups only" but that made no difference.

I thought it might have to do with the permissions assigned to the App Registration in AAD, so I added specific permission to Group.Read.All and Directory.Read.All (both Delegated and Application) but it didn't work.

I removed all permissions from the App and it still returned Users but still did not return Groups

What can I do to diagnose/fix this?

Answer 1 · 2020-12-08T08:49:05.000Z

@vargasfe the only permissions that are required, and that should be actually configured, are “Group.Read.All” and “User.Read.All” of type application (not delegated).
Please make sure you followed exactly the steps documented in https://yvand.github.io/AzureCP/Register-App-In-AAD.html.

Can you also check the SharePoint logs and filter on product/area "AzureCP" when you search for groups?

Answer 2 · 2020-12-08T19:14:47.000Z

Yvan,

I figured it out. It turns out that the SPTrustedIdentityTokeIssuer did not have the role claim.
Fixed it by adding the claim to the SPTrustedIdentityTokenIssuer and then adding the mapping.

$Name = "The name of you Trusted Identity Provider"
$ap=Get-SPTrustedIdentityTokenIssuer $Name
$ap.ClaimTypes.Add("http://schemas.microsoft.com/ws/2008/06/identity/claims/role")
$ap.Update()

$map6 = New-SPClaimTypeMapping "http://schemas.microsoft.com/ws/2008/06/identity/claims/role" -IncomingClaimTypeDisplayName "Role" –SameAsIncoming
$ap=Get-SPTrustedIdentityTokenIssuer $Name
Add-SPClaimTypeMapping -Identity $map6 -TrustedIdentityTokenIssuer $ap