Skip to main content

Official Support Articles

Search or browse our knowledge base to find answers to your questions ranging from account questions to troubleshooting error messages. The content is curated and updated by our global Support team

Announcements
CUSTOMERS ONLY: Now accepting customer applications for the 2023 Luminary Program: SUBMIT NOW

Qlik Sense SaaS - Azure AD groups limitation per user

cancel
Showing results for 
Search instead for 
Did you mean: 
Alexis_Touet
Former Employee
Former Employee

Qlik Sense SaaS - Azure AD groups limitation per user

In larger organizations, the number of groups a user is a member of may exceed the limit that Azure Active Directory will add to a token. 150 groups for a SAML token, and 200 for a JWT. 

Environment

 

Solution

Qlik Cloud does not read the groups into the ID token returned by Azure, but instead will fetch the groups for the user from the MS Graph API (a maximum of 1000 groups is fetched).

The groups are fetched from the following endpoint and nested groups are not supported.

https://docs.microsoft.com/en-us/graph/api/user-list-memberof

 

However, please note that if sending only specific groups to Qlik Sense is needed (and not all groups assigned to the user in Azure), then you will have to use the IdP type "ADFS" to read attributes from the ID token and use roles in Azure instead of groups to pass only the wanted groups.

https://joonasw.net/view/using-groups-vs-using-app-roles-in-azure-ad-apps

 

The information in this article is provided as-is and to be used at own discretion. Depending on tool(s) used, customization(s), and/or other factors ongoing support on the solution below may not be provided by Qlik Support.

Related Content 

https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-fed-group-claims

https://joonasw.net/view/using-groups-vs-using-app-roles-in-azure-ad-apps

Comments
jmaynard
Contributor II
Contributor II

Do we have an idea if this is something Qlik will be solving in the future?

Sonja_Bauernfeind
Digital Support
Digital Support

Hello @jmaynard 

This is being worked on as an improvement, but we do not have an estimate on when.

hqx
Former Employee
Former Employee

Hi,

How does this limitation affecting hybrid  deployment (on premises and Qlik Sense SaaS) with Azure AD in cloud and local AD configuration?

Is there a same limitation apply to on-premises AD?

Thank you!

James Wong

jmaynard
Contributor II
Contributor II

I created a case on the support site. We were informed a couple of weeks ago this was resolved.

Everything we have tested so far confirms that it is resolved.

Damien_Villaret
Support
Support

@jmaynard That is correct, this has now been updated with most recent information.

DavidFosterVF
Creator
Creator

@Damien_Villaret what, specifically, has been updated?

Damien_Villaret
Support
Support

@DavidFosterVF 

The initial limitation was 150-200 groups read from the ID token returned by Azure.

The current limitation is 1000 groups read from the Microsoft Graph API.

Reading from the Graph API also solves the issue that some Azure AD groups were coming in as guid instead of actual group names.

Version history
Last update:
‎2022-10-03 04:33 AM
Updated by: