AAD group claims in real estate

We use two users rapstaff and rapagent from a given AAD tenant and common namespace within that tenant : rapmlsqa.com.

Screenshot (6)

when users sign in via the federated management process, their AAD record is updated – including the leaf groups to which they belong. For example billtypeA.

We then define a super group, for example billtypeB. B includes whatever A include, plus some nominated users.

In our case, we have rapstaff in billtypeA, and define B to include A and rapagent. Thus B is in effect rapstaff and rapagent. But, note the inclusion relationship is not symmetric.

Screenshot (7)Screenshot (8)

When we run the sample code at https://github.com/AzureADSamples/WebApp-GroupClaims-DotNet

Screenshot (9)

we get to see such as what happens with rapagent shares with group A

Screenshot (12)then, rapstaff shares with group B (noting that the display already shows the task shared with those in A, from rapagent)

Screenshot (11)


if we logon to rapagent, we see the sharing just accomplished:

Screenshot (12)a

One notes how the particular app design presents share objects, that one is not owner of, in a form that does not allow one to share further.

if we use a user from a different tenant (rapstaff@metrolistrapmlsqa.com)

Screenshot (13)

Screenshot (14)


if we add rapstaff@metrolistmlsqa.com to the billtypeB group

Screenshot (16)


we see suddenly that the task share with metrolist rapstaff includes:

Screenshot (17)

(after a signout/signin process, that refreshes the group claims in the users session)

When we look at a JWT from the id token, we see that the group claims are presents – as OIDs.

Screenshot (18)



About home_pw

Computer Programmer who often does network administration with focus on security servers. Sometimes plays at slot machine programming.
This entry was posted in Azure AD. Bookmark the permalink.