Missing groups

[stefanoostwegel]

We use Microsoft Entra ID on microsoft azure.
We send all posisble group sin the token, but we keep missing a lot of groups. Some users have over 150 groups! We cannot figer out what to do for the group configuration to arrive completely.
This is the setting:

AUTH_ADFS = {
'AUDIENCE': client_id,
'CLIENT_ID': client_id,
'CLIENT_SECRET': client_secret,
'CLAIM_MAPPING': {'first_name': 'given_name',
'last_name': 'family_name',
'email': 'upn'},
'GROUPS_CLAIM': 'groups',
'MIRROR_GROUPS': True,
'USERNAME_CLAIM': 'upn',
'TENANT_ID': tenant_id,
'RELYING_PARTY_ID': client_id,
'LOGIN_EXEMPT_URLS': [
'^api',
],
}

In Entra ID:

in tokenconfiguration we have the groupclaim:
Securitygroups
Directory roles
All groups
Groups configured for applications

We believe everything is complete, but it turns out that a specific user who has 200 groups according to entra ID, only shows up with 100 groups in Django.
I cannot find something like a cutoff (groups run form a to z) but we are missing vital groups.

Can anyone explain me how we have to fix this, so that everything shows up?

[tim-schilling]

Have you looked at overriding the get_group_memberships_from_ms_graph method here https://github.com/snok/django-auth-adfs/blob/main/django_auth_adfs/backend.py#L110?

[stefanoostwegel]

Thank you so much for the fast reply.
I fiddled around with this, but i couldnt figure out to enforce this.
I tried to enforce this according to: process_user_groups
By having the GROUPS_CLAIM not part of the claims, i would go into the elif on line 239.
But there, i needed to have _claim_names in the claims (i couldn't figure out how to), so i got stuck.
Any suggestion how to change the configuration to make that work?

[tim-schilling]

Did you add the groups claim in Entra for the app registration?

Also you can always override process_user_groups and do something custom as needed.

[stefanoostwegel]

Well, i think i did add the groups claim in Entra for the app registration.
That still doesn't allow me to force the the get_group_memberships_from_ms_graph.
How would the overide work if i want to do that without altering the code?

[tim-schilling]

Sorry, I don't have the time to help implement a custom solution. I believe the hook is available for you to do what you're looking for.

[stefanoostwegel]

I fully understand you don't have time for it.
I'm trying to not customize the implementation, but to use the standard way to always use Microsoft graph.
Based on some settings, i understand the code only uses the JWT. I need to know the default way to use Microsoft graph, since i cannot find that in the documentation.