App registration metadata

#public #office365 #azuread

about

When managing enterprise apps in AzureAD there are 2 ways to create and interact with the apps,

Enterprise apps in Azure AD
App registration in Azure AD
Every app can be managed from each option, but depending on how it is created it gives you a diffrent set of options as defaults. Resulting in the need to use some "tricks" to merge functionalities from one to the there in some cases.

Examples

DefectDojo requires for the automatic group provisioning to work.
- App registration metadata#groupMembershipClaims
- App registration metadata#displayname for groupclaims

Useful properties

groupMembershipClaims

// causes only the groupMembershipClaims that is assigned to the application to be pased through to the app on auth.
"groupMembershipClaims": "ApplicationGroup",

displayname for groupclaims

Under token configuration in app registration, when creating a groups claim, you are able to set the identifying property to send to several values, but the option to use the "cloud_displayname" is not available in the gui for the app registration.
Using the sAMAccountname here does not seem to work as expected, it probably only works with groups synced from on-prem that has this property

Note

names passthrough of cloud-only groups seem to only work with Enterprise apps in Azure AD.
microsoft ref.

By changing this property under the additionalPropertiesto cloud_displayname you will enable the same functionality as is available for Enterprise apps in Azure AD

// causes only the groupMembershipClaims that is assigned to the application to be pased through to the app on auth.
"optionalClaims": {
	"idToken": [
		{
			"name": "groups",
			"source": null,
			"essential": false,
			"additionalProperties": [
				"cloud_displayname"
			]
		}
],