[Bug] Using WAM, no groups are returned in an ID Token #4134
Description
Logs and network traces
Without logs or traces, it is unlikely that the team can investigate your issue. Capturing logs and network traces is described in Logging wiki.
Which version of MSAL.NET are you using?
MSAL.NET 4.54
Platform
Windows .NET Framework 4.8
What authentication flow has the issue?
- Desktop / Mobile
- Interactive
- Integrated Windows Authentication
- Username Password
- Device code flow (browserless)
- Web app
- Authorization code
- On-Behalf-Of
- Daemon app
- Service to Service calls
Other?
ID Token is customized to include all security groups, distribution groups, and Azure AD roles. When using WAM, only the wids claim is included. When not using WAM, all groups are included.
Is this a new or existing app?
Existing demo app. https://github.com/kylemar/BestPracticesDemo
Repro
Code is at https://github.com/kylemar/BestPracticesDemo
Start the app, leave "Account" as "Windows User".
Sign In to an account that is a member of at least one but fewer than 200 groups.
Notice no groups claims in the token.
Sign Out
Clear Tokens
Change "Account" to "Any Microsoft Identity"
Sign In to the same account.
Notice group claims in the token
Expected behavior
group claims should always be in the ID Tokens regardless of WAM or not.
Actual behavior
group claims are absent from ID Tokens when using WAM