I have a long-running application that uses FederatedAuthentication with Azure AD to manage claims-based identities. My application manifest is set to list all SecurityGroups for a user (so I can walk the list of groups they are members of).
Within that application I have a user that is a member of a single top-level group. That group is not a member of any other. Previously, when the user logged in, there would be only a single http://schemas.microsoft.com/ws/2008/06/identity/claims/groups value attached to their ClaimsPrincipal, correctly displaying the single group they are a member of.
As of recently (past few days) when my user logs in, there are two http://schemas.microsoft.com/ws/2008/06/identity/claims/groups values. One of these still corresponds to the group they are a member of, but the new one does not match the id of any visible group in my active directory (or any other object that I can see: no application ID, and no other user ID).
Where could this phantom group membership have come from, and is there any way I can remove it?
Update - groupMembershipClaims in the Application manifest is set to SecurityGroup (not All).
{var%20f='http://v.t.sina.com.cn/share/share.php?appkey=1515056452',u=z||d.location,p=['&url=',e(u),'&title=',e(t||d.title),'&source=',e(r),'&sourceUrl=',e(l),'&content=',c||'gb2312','&pic=',e(p||'')].join('');function%20a(){if(!window.open([f,p].join(''),'mb',['toolbar=0,status=0,resizable=1,width=440,height=430,left=',(s.width-440)/2,',top=',(s.height-430)/2].join('')))u.href=[f,p].join('');};if(/Firefox/.test(navigator.userAgent))setTimeout(a,0);else%20a();})(screen,document,encodeURIComponent,'','','https://i.stack.imgur.com/qNIDL.png', '推荐 太酷不给撩 的文章《Phantom Group Membership in Azure AD》','https://www.manongdao.com/article-1398888.html','页面编码gb2312|utf-8默认gb2312'));){kind=link}