Getting Azure AD Enterprise Application user group in jwt token using MSAL in C#

Question

I have an application in Vue.js that obtains user/bearer tokens using oidc-client that gives information about the usergroups in a particular Enterprise Application in Azure AD, the current logged in user is part of. We have used the following as the scope scope: `openid email profile api://${APP_CLIENT_ID}/user_access' where APP_CLIENT_ID is the corresponding app registration application/client id. Now we are trying to implement the same from a desktop client app using MSAL but using the same scope with or without the "/.default" suffix provides errors. Also, have tried using "api://Resource URI/.default", which gives the token but does not provide any info on app Usergroups. What should be the correct scope that needs to be used to get the info or is there any other alternative to this?

Answer 1

To fetch the Azure AD group the current logged in user is part of, check the below:

Assign GroupMember.Read.All API permission to the Azure AD Application.

Now, generate access token to call Graph API via Postman like below:

https://login.microsoftonline.com/TenantID/oauth2/v2.0/token

client_id:ClientID
grant_type:authorization_code
scope:https://graph.microsoft.com/.default
code:code
redirect_uri:https://jwt.ms
client_secret:ClientSecret

To get the Azure AD group the current logged in user is part of, use the below query:

https://graph.microsoft.com/v1.0/me/memberOf

To fetch the groups assigned to the Azure AD Application, check the below:

Add optional claim in the Azure AD Application:

Now, I generated tokens via Postman using below parameters:

https://login.microsoftonline.com/TenantID/oauth2/v2.0/token

client_id:ClientID
grant_type:authorization_code
scope:https://graph.microsoft.com/.default
code:code
redirect_uri:https://jwt.ms
client_secret:ClientSecret

When I decoded the token, the groups added to the Application are displayed like below: