1.获取组成员声明作为令牌的一部分

您可以通过编辑应用程序的清单(这可以直接在 Azure 门户中完成)并将 groupMembershipClaims" 属性设置为All" 或 SecurityGroup" 根据需要.

You can enable group claims to come in as part of the access token for your application by editing your application's manifest (this can be done directly in Azure Portal) and setting "groupMembershipClaims" property to "All" or "SecurityGroup" as needed.

2.组 ID 作为声明的一部分返回

一旦应用程序清单按上述方式更新，您就可以获取组 ID 作为声明的一部分.这是解码的 JWT 令牌的快速示例

Once application manifest is updated as mentioned above, you can get Group Id's as part of claims. Here's a quick sample for a decoded JWT token

3.限制可以作为令牌的一部分返回的组数

为确保令牌大小不超过 HTTP 标头大小限制，Azure AD 限制了它包含在组声明中的 objectId 的数量.如果用户是超过超额限制(SAML 令牌为 150，JWT 令牌为 200)的组的成员，则 Azure AD 不会在令牌中发出组声明.相反，它在令牌中包含一个超额声明，指示应用程序查询 Graph API 以检索用户的组成员资格.

To ensure that the token size doesn't exceed HTTP header size limits, Azure AD limits the number of objectIds that it includes in the groups claim. If a user is member of more groups than the overage limit (150 for SAML tokens, 200 for JWT tokens), then Azure AD does not emit the groups claim in the token. Instead, it includes an overage claim in the token that indicates to the application to query the Graph API to retrieve the user's group membership.

4.相关的 Microsoft Graph API

注意:使用 Microsoft Graph API 可能非常强大，因为您可以绕过超额情况以及在需要时获取有关组的所有其他类型的信息(如名称).在这种特殊情况下，由于目的是验证组成员身份，组 ID 是***字段，因为它不会更改，而其他名称(如 name)可以.

NOTE: Working with Microsoft Graph APIs can be pretty powerful, since you can get around overage scenarios as well as get all other kinds of information about groups if needed (like name). In this particular case, since intent is to validate group membership, group Id is the best field as it will not change while others like name can.

检查成员群组

如果您已经知道要检查/验证成员资格的群组，这将很有帮助.

This one will be helpful if you already know the groups that you want to check/validate membership in.

 POST https://graph.microsoft.com/v1.0/users/{id | userPrincipalName}/checkMemberGroups 

在请求正文中，您可以提供 groupdIds，即包含要检查成员资格的组的对象 ID 的集合.最多可以指定 20 个组.

In request body, you can provide groupdIds, i.e. a collection that contains the object IDs of the groups in which to check membership. Up to 20 groups may be specified.

     {
      "groupIds": [
           "fee2c45b-915a-4a64b130f4eb9e75525e",
           "4fe90ae065a-478b9400e0a0e1cbd540"
       ]
     }

用户:getMemberGroups

如果您还不知道该组并想获取该用户所属的所有组，这将很有帮助.

This one will be helpful if you don't already know the group and want to get all the groups that this user belongs to.

POST https://graph.microsoft.com/v1.0/users/{id | userPrincipalName}/getMemberGroups

这是另一个 相关的 SO 帖子