Groups not returned in claim if user is member of many groups

[bryanarcher]

If user is a member of several groups, the following claim is returned:

"hasgroups": "true",

So the mappings do not work correctly, it's up to the app to use GraphAPI to retrieve the users groups.

[stevetemple]

Weird, all of our users are in multiple groups and we've not had the same issue

[BenDuguid-MRM]

The setup and documentation call it out, but the limits are a bit more than "several":

https://learn.microsoft.com/en-gb/entra/identity/hybrid/connect/how-to-connect-fed-group-claims

The number of groups emitted in a token is limited to 150 for SAML assertions and 200 for JWT, including nested groups. In larger organizations, the number of groups where a user is a member might exceed the limit that Microsoft Entra ID applies before emitting groups claims in a token. Exceeding this limit will cause Microsoft Entra ID completely omit sending group claims in the token. For workarounds to these limits, read more in Important caveats for this functionality.

However, this is significantly reduced later on (emphasis added):

Group claims have a five-group limit if the token is issued through the implicit flow. Tokens requested via the implicit flow will have a "hasgroups":true claim only if the user is in more than five groups.

And they go on to recommend the use of Application Roles instead:

We recommend basing in-app authorization on application roles rather than groups when:

• You're developing a new application, or an existing application can be configured for it.
• Support for nested groups isn't required.

Using application roles limits the amount of information that needs to go into the token, is more secure, and separates user assignment from app configuration.

I'm going to take a look at adding Role support in, as that's what we'd been using on our internal version.