I have added an Azure Active Directory Identity Provider to my APIM (from an AAD in a different tenant).

I have used that to successful add an Azure Active Directory Group to my APIM.

I now want to check if the user is part of that group.

When I use APIM Users/Groups I can do that check with this policy, but when I use Active Directory this policy always fails with a 401.

<policies>
    <inbound>
        <choose>
            <when condition="@(context.User.Groups.Select(g => g.Name).Contains("org1"))">
                <set-backend-service base-url="https://abc-apim.azure-api.net/org1app" />
            </when>
            <when condition="@(context.User.Groups.Select(g => g.Name).Contains("org2"))">
                <set-backend-service base-url="https://abc-apim.azure-api.net/org2app" />
            </when>
            <otherwise>
                <return-response>
                    <set-status code="401" reason="Unauthorized" />
                    <set-header name="WWW-Authenticate" exists-action="override">
                        <value>Bearer error="Invalid user group"</value>
                    </set-header>
                </return-response>
            </otherwise>
        </choose>
        <base />
    </inbound>
    <backend>
        <base />
    </backend>
    <outbound>
        <base />
    </outbound>
    <on-error>
        <base />
    </on-error>
</policies>

What should the policy look like to check if the user belongs to a group in Active Directory?

APIM will not pull in all AAD groups by default. The only way to have access to AAD group membership in APIM is to add AAD group to APIM: https://docs.microsoft.com/bs-cyrl-ba/azure/api-management/api-management-howto-aad#add-an-external-azure-ad-group That way you'll create mapping between APIM group and AAD group.