Microsoft Azure with Sharepoint On-Prem => An absolute Bullshit (or How to Fix Group SSO between MS Azure and Sharepoint On-Prem)

by Domekologe
0 comment

I don’t know how can I begin this post. I thought a very long time about it and doesn’t know it.

If you are plan to establish an Connection from your On-Premise Sharepoint with MS Azure AD, please aware the following:

Sorry, but I must say it.
I stuck several hours on the Issue with the Access granting to MS Azure groups and nothing works.

I repeated the Microsoft part a several times and nothing helps. After a few hours I found a solution (not from Microsoft!)

It belongs to this MS Part

I don’t know, why Microsoft have this “not working” path inside their Guide.

I found the final solution here:

The part which helps is this:


Resolution: How To Fix It Section

The resolution/workaround for this is to use the Email Address as the identifying Claim instead of the UPN

To accomplish this we’ll have to adjust both our AAD SSO App SAML claims to be like the following: (We will fix the AAD Security Groups here too like I promised)

To setup your Role Claims you have to edit the  ‘Groups returned in claim:’ section as follows

So your complete AAD SSO App claim configuration should look like this:


This part helps me out of this nightmare!


Leave a Comment