Azure AD中的Phantom组成员身份 [英] Phantom Group Membership in Azure AD

问题描述

我有一个长期运行的应用程序，该应用程序将FederatedAuthentication与Azure AD结合使用来管理基于声明的身份.我的应用程序清单设置为列出用户的所有SecurityGroup(这样我就可以浏览他们所属的组的列表).

I have a long-running application that uses FederatedAuthentication with Azure AD to manage claims-based identities. My application manifest is set to list all SecurityGroups for a user (so I can walk the list of groups they are members of).

在该应用程序中，我有一个用户，该用户是单个顶级组的成员.该组不是任何其他成员.以前，当用户登录时，他们的ClaimsPrincipal上只会附加一个http://schemas.microsoft.com/ws/2008/06/identity/claims/groups值，可以正确显示他们所属的单个组.

Within that application I have a user that is a member of a single top-level group. That group is not a member of any other. Previously, when the user logged in, there would be only a single http://schemas.microsoft.com/ws/2008/06/identity/claims/groups value attached to their ClaimsPrincipal, correctly displaying the single group they are a member of.

最近(过去几天)我的用户登录时，有两个http://schemas.microsoft.com/ws/2008/06/identity/claims/groups值.其中一个仍然对应于它们所属的组，但是新的组与我的活动目录(或我可以看到的任何其他对象)中任何可见组的ID不匹配:没有应用程序ID，也没有其他用户ID ).

As of recently (past few days) when my user logs in, there are two http://schemas.microsoft.com/ws/2008/06/identity/claims/groups values. One of these still corresponds to the group they are a member of, but the new one does not match the id of any visible group in my active directory (or any other object that I can see: no application ID, and no other user ID).

这个幻影组成员身份从何而来，我有什么办法可以删除它?

Where could this phantom group membership have come from, and is there any way I can remove it?

更新-应用程序清单中的groupMembershipClaims设置为SecurityGroup(不是All).

Update - groupMembershipClaims in the Application manifest is set to SecurityGroup (not All).

推荐答案

在我的测试中，组声明将返回当前用户所属的Groups和DirectoryRoles的集合，结果类似于使用memberOf天青广告图API:

In my testing , the group claims will return a collection of the Groups and DirectoryRoles that current user is a member of , the result is similar to use memberOf azure ad graph api :

https://graph.windows.net/myorganization/users/{user_id}/$links/memberOf?api-version

以上api的结果:

The result with above api:

即使我将groupMembershipClaims设置为SecurityGroup，我在具有组声明的令牌中也获得了相同的三个记录(2个组和1个目录角色).我的帐户是我的AAD中的全局管理员.如果我将帐户设置为用户目录角色(非管理员角色)，则在我的组声明中我只会得到两个组记录.

Even if i set groupMembershipClaims to SecurityGroup , i get the same three records(2 groups and 1 directory role) in my token with group claims . My account is a global administrator in my AAD . If i set the account to user directory role(non admin role) , then i only get two group records in my group claims .

使用azure广告图api来获取用户具有直接或传递成员资格的所有组，我们可以调用

With azure ad graph api , to get all of the groups that the user has direct or transitive membership in, we could call the getMemberGroups function.

如果您希望组声明仅返回用户具有直接或传递成员资格的返回组，则可以在

If you want group claims only return groups that the user has direct or transitive membership in , you could send your feedback in AAD userVoice .

这篇关于Azure AD中的Phantom组成员身份的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！