Has anyone successfully gotten Azure Entra to work with restrict access by groups?

[chaseg22]

After searching the discussion I see a few unanswered posts so Im just curious has anyone gotten this to work?
Are these the only 2 new environment variables needed to be added, can some one show me what they have in their project? do we need to change roles for example? Do we need the quotation marks?

If you want to restrict access by groups

OPENID_REQUIRED_ROLE_PARAMETER_PATH="roles"
OPENID_REQUIRED_ROLE="Your Group Name"

Thanks

[oxch]

Few things needed to make it work.

**Entra/AD App registration changes:

1. Under "Authentication":
   a) Check the following checkboxes under "Implicit grant and hybrid flows":

• "Access tokens (used for implicit flows)"
• "ID tokens (used for implicit flows)"
  b) Under "Token configuration" add groups claim:
  "Optional claims" > "Add groups claim" > Select group types to include Access, ID, and SAML tokens - check the following items:
• "Security groups"
• "Directory roles"
• "All groups..."
• "Groups assigned to the application..."

2. Under "Manage" --> "Manifest" update and save the following value in JSON manifest - change from "All" to "ApplicationGroup" to prevent groups claim being removed due to MS platform limits (see MS docs here for details: https://learn.microsoft.com/en-us/entra/identity/hybrid/connect/how-to-connect-fed-group-claims#configure-the-microsoft-entra-application-registration-for-group-attributes):

"groupMembershipClaims": "ApplicationGroup"

3. For related Entra/AD Enterprise App Registration change the following:
   a. Under "Manage" --> "Properties" set both "Assignment required?" and "Visible to users?" to "Yes".
   b. Under "Manage" --> "Users and groups" add the following AAD groups:

• Entra/AD Group NAME

**Finally, environment variables / settings for App / container itself:
OPENID_REQUIRED_ROLE_PARAMETER_PATH = "groups"
OPENID_REQUIRED_ROLE="Entra/AD Group GUID - NOT the actual group name"