In larger organizations, the number of groups a user is a member of may exceed the limit that Azure Active Directory will add to a token. 150 groups for a SAML token, and 200 for a JWT.
Environment
Solution
Qlik Cloud does not read the groups into the ID token returned by Azure, but instead will fetch the groups for the user from the MS Graph API (a maximum of 1000 groups is fetched).
The groups are fetched from the following endpoint and nested groups are not supported.
https://docs.microsoft.com/en-us/graph/api/user-list-memberof
However, please note that if sending only specific groups to Qlik Sense is needed (and not all groups assigned to the user in Azure), then you will have to use the IdP type "ADFS" to read attributes from the ID token and use roles in Azure instead of groups to pass only the wanted groups.
https://joonasw.net/view/using-groups-vs-using-app-roles-in-azure-ad-apps
The information in this article is provided as-is and to be used at own discretion. Depending on tool(s) used, customization(s), and/or other factors ongoing support on the solution below may not be provided by Qlik Support.
Related Content
https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-fed-group-claims
https://joonasw.net/view/using-groups-vs-using-app-roles-in-azure-ad-apps
.png "Former Employee"){kind=icon}
