![]() ![]() sAMAccountName might be unique within an Active Directory domain, but if more than one Active Directory domain is synchronized with an Azure AD tenant, there's a possibility for more than one group to have the same name.Ĭonsider using application roles to provide a layer of indirection between the group membership and the application. If you're using the on-premises group sAMAccountName attribute for authorization, use domain-qualified names. The group ObjectID attribute is immutable and unique in Azure AD. ![]() When you're using group membership for in-application authorization, it's preferable to use the group ObjectID attribute. However, if an existing application expects to consume group information via claims, you can configure Azure AD with various claim formats. Group enumeration is then independent of limitations on token size. This call ensures that all the groups where a user is a member are available, even when a large number of groups is involved. Options for applications to consume group informationĪpplications can call the Microsoft Graph group's endpoint to obtain group information for the authenticated user. Applications configured in Azure AD to get synced on-premises group attributes get them for synced groups only. They aren't available on groups created in Azure AD or Office 365. SAMAccountName and on-premises GroupSID attributes are available only on group objects synced from Active Directory.
0 Comments
Leave a Reply. |