Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Filter Group Claims by DisplayName or SamAccountName #3045

Open
YuriySamorodov opened this issue Nov 30, 2024 · 0 comments
Open

Filter Group Claims by DisplayName or SamAccountName #3045

YuriySamorodov opened this issue Nov 30, 2024 · 0 comments
Labels
status:waiting-for-triage An issue that is yet to be reviewed or assigned type:feature New experience request

Comments

@YuriySamorodov
Copy link
Contributor

YuriySamorodov commented Nov 30, 2024
edited
Loading

Is your feature request related to a problem? Please describe the problem.

Overview

Microsoft Azure and Microsoft Entra Admin Portals provide robust capabilities for configuring group filtering in SAML and OIDC claims. Administrators can easily tailor access based on specific group attributes, enhancing security and compliance. However, there is a significant gap in functionality when using Microsoft Graph PowerShell cmdlets.

Current Capabilities in Azure and Entra Portals

The Azure Portal allows administrators to configure group claims with advanced filtering options, as outlined below:

  1. Access Your Application:

    • Navigate to the Azure Portal and go to Enterprise Applications.
    • Select the application for which you want to configure group claims.

    Access Your Application

  2. Configure Single Sign-On (SSO):

    • Under the selected application, go to Single sign-on.
    • Click on User Attributes & Claims.

  3. Add a Group Claim:

    • Click on Add a group claim.
    • In the configuration options, you will have several choices for how to include groups in the SAML token.

  4. Set Filtering Options:

    • In the advanced options, you can specify how you want to filter groups:
      • Choose Only groups assigned to the application if you want to limit claims to specific groups.
      • For custom filtering, select Customize the name of the group claim and enter the claim type you wish to use.

  5. Applying Filters:

    • To filter groups based on sAMAccountName, select Filter groups.
    • You can specify conditions such as:
      • Attribute to Match: Set this to sAMAccountName.
      • Match With: Choose options like "contains" or "starts with".
      • String: Enter the criteria for filtering. For example, if you want groups that contain "test", simply enter test.

image

Limitations of Microsoft Graph PowerShell Cmdlets

In stark contrast, the GroupClaims parameter of the Update-MgApplication command in Microsoft Graph PowerShell only accepts three basic values: None, SecurityGroup, and All. This limitation prevents administrators from leveraging the advanced filtering capabilities available in the Azure and Entra portals.

image

Describe the solution you'd like.

Proposed Enhancements

To bridge this gap, we propose the following enhancements:

  1. Multi-Condition Filtering:

    • Enable logical operators (AND, OR) for filtering conditions to allow more complex configurations.

  2. Custom Attribute Matching:

    • Allow filtering based on custom attributes beyond just sAMAccountName.

  3. Advanced Filtering Options:

    • Implement features such as regular expression matching, range queries, and wildcard support.

  4. User Interface Improvements:

    • Enhance the user interface in PowerShell to make it more intuitive for setting up group claims and filters.

  5. Documentation and Support:

    • Provide comprehensive documentation with examples and establish a dedicated support channel for group claim configurations.

  6. Implementation Example:
    I would expand GroupMembershipClaims parameter schema in Update-MgApplication cmdlet to make it happen:

{
 "GroupType": [
                  "All",
                  "None",
                  "SecurityGroups"
                  ],
 "SourceAttribute": [
                 "GroupID",
                 "SamAccountName",
                 "NetBIOSDomain\\SamAccountName",
                 "DNSDomain\\SamAccountName",
                 "On Premises Group Security Identifier",
                 "GroupID",
                ]
 "Advanced": {
          "Match": [
                 "Prefix",
                 "Suffix",
                 "Contains"
               ],
          "Attribute": [
                   "DisplayName",
                   "SamAccountName"
                 ],
          "value": "Test"

        },
 "GroupClaimName": {
             "Name": "Test",
             "Namespace": "Test",
             "EmitGroupsAsRoleClaims": true,
             "ApplyRegex": true,
             "ExposeClaiminJWT": true
           }
}

Benefits

  • Increased Flexibility: Tailor group claims effectively to meet specific security and compliance requirements.
  • Enhanced Security: Manage access to sensitive applications with more granular control over included groups.
  • Improved User Experience: A more intuitive interface and better documentation will empower administrators to configure settings confidently.

Conclusion

By implementing these enhancements, Microsoft can provide a more robust solution for managing SAML and OIDC claims related to group memberships through both Azure/Entra portals and PowerShell cmdlets. This will improve administrative efficiency and strengthen security protocols across applications relying on these identity solutions.
@YuriySamorodov YuriySamorodov added status:waiting-for-triage An issue that is yet to be reviewed or assigned type:feature New experience request labels Nov 30, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
status:waiting-for-triage An issue that is yet to be reviewed or assigned type:feature New experience request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@YuriySamorodov