Filter Group Claims by DisplayName or SamAccountName

[YuriySamorodov]

Is your feature request related to a problem? Please describe the problem.

Overview

Microsoft Azure and Microsoft Entra Admin Portals provide robust capabilities for configuring group filtering in SAML and OIDC claims. Administrators can easily tailor access based on specific group attributes, enhancing security and compliance. However, there is a significant gap in functionality when using Microsoft Graph PowerShell cmdlets.

Current Capabilities in Azure and Entra Portals

The Azure Portal allows administrators to configure group claims with advanced filtering options, as outlined below:

1. Access Your Application:

   • Navigate to the Azure Portal and go to Enterprise Applications.
   • Select the application for which you want to configure group claims.

   Access Your Application

2. Configure Single Sign-On (SSO):

   • Under the selected application, go to Single sign-on.
   • Click on User Attributes & Claims.

3. Add a Group Claim:

   • Click on Add a group claim.
   • In the configuration options, you will have several choices for how to include groups in the SAML token.

4. Set Filtering Options:

   • In the advanced options, you can specify how you want to filter groups:
     • Choose Only groups assigned to the application if you want to limit claims to specific groups.
     • For custom filtering, select Customize the name of the group claim and enter the claim type you wish to use.

5. Applying Filters:

   • To filter groups based on sAMAccountName, select Filter groups.
   • You can specify conditions such as:
     • Attribute to Match: Set this to sAMAccountName.
     • Match With: Choose options like "contains" or "starts with".
     • String: Enter the criteria for filtering. For example, if you want groups that contain "test", simply enter test.

Limitations of Microsoft Graph PowerShell Cmdlets

In stark contrast, the GroupClaims parameter of the Update-MgApplication command in Microsoft Graph PowerShell only accepts three basic values: None, SecurityGroup, and All. This limitation prevents administrators from leveraging the advanced filtering capabilities available in the Azure and Entra portals.

Describe the solution you'd like.

Proposed Enhancements

To bridge this gap, we propose the following enhancements:

1. Multi-Condition Filtering:

   • Enable logical operators (AND, OR) for filtering conditions to allow more complex configurations.

2. Custom Attribute Matching:

   • Allow filtering based on custom attributes beyond just sAMAccountName.

3. Advanced Filtering Options:

   • Implement features such as regular expression matching, range queries, and wildcard support.

4. User Interface Improvements:

   • Enhance the user interface in PowerShell to make it more intuitive for setting up group claims and filters.

5. Documentation and Support:

   • Provide comprehensive documentation with examples and establish a dedicated support channel for group claim configurations.

6. Implementation Example:
   I would expand GroupMembershipClaims parameter schema in Update-MgApplication cmdlet to make it happen:

{
 "GroupType": [
                  "All",
                  "None",
                  "SecurityGroups"
                  ],
 "SourceAttribute": [
                 "GroupID",
                 "SamAccountName",
                 "NetBIOSDomain\\SamAccountName",
                 "DNSDomain\\SamAccountName",
                 "On Premises Group Security Identifier",
                 "GroupID",
                ]
 "Advanced": {
          "Match": [
                 "Prefix",
                 "Suffix",
                 "Contains"
               ],
          "Attribute": [
                   "DisplayName",
                   "SamAccountName"
                 ],
          "value": "Test"

        },
 "GroupClaimName": {
             "Name": "Test",
             "Namespace": "Test",
             "EmitGroupsAsRoleClaims": true,
             "ApplyRegex": true,
             "ExposeClaiminJWT": true
           }
}

Benefits

• Increased Flexibility: Tailor group claims effectively to meet specific security and compliance requirements.
• Enhanced Security: Manage access to sensitive applications with more granular control over included groups.
• Improved User Experience: A more intuitive interface and better documentation will empower administrators to configure settings confidently.

Conclusion

By implementing these enhancements, Microsoft can provide a more robust solution for managing SAML and OIDC claims related to group memberships through both Azure/Entra portals and PowerShell cmdlets. This will improve administrative efficiency and strengthen security protocols across applications relying on these identity solutions.

[timayabi2020]

@YuriySamorodov thanks a lot for identifying and proposing a solution to this issue. Microsoft Graph PowerShell cmdlets are generated based on open Api paths provided by the service owner. The current path associated with the said cmdlet, has those limitations which unfortunately got shipped to all SDKs/tools that reference it. If you look at the Api documentation here, it only contains the three basic values for the groupMembershipClaims property. Since I don't have visibility when it comes to service issues, I can only advice that you log an issue here https://developer.microsoft.com/en-us/graph/support so that the API owner can respond to it.

[YuriySamorodov]

Thank you for the update, @timayabi2020 !
Submitted an idea https://feedbackportal.microsoft.com/feedback/idea/8fddec42-fbb2-ef11-95f6-0022484d7a88