azureazure-active-directoryexpressionscim

Azure AD SCIM Attribute Mapping - Group Membership Expression


I would like to create an expression for SCIM attribute mapping in Azure AD to pass a value to an attribute of the receiving application based on the user membership to a specific AD group.

The below expression, for example, passes value New to the attribute userType of the receiving application if the value of the Azure AD attribute user.department equals to hr_new, and passes the value Old if not.

IIF([department]="new_hr", "New", "Old")

See example settings below:

enter image description here

However, I haven't been able to query or check the group membership of a User in an expression in Azure AD. I would like to create an expression that checks if the user is member of group abc and if true it should pass the value X and if false, it should pass the value Y

Any ideas how this could be done?


Solution

  • As advised by @ZollnerdMSFT, querying AD Group membership directly using Expressions is not possible at the moment in Azure. The solution was to use App roles. I added new App roles to the enterprise application in Azure and then assigned the desired app role to each Group. Users within the AD Group(s) inherit the app role assigned to the Group(s) they belong to.

    These inherited App roles can then be queried using Expressions. I then wrote an Expression to get the app roles that the user inherited and returned the desired value based on the app roles the user has - which implicitly reflects the user's Group membership(s).