Our team recently ran into an issue when a user Azure AD account refused to work with Sitecore Identity Server. Each time the user would try to log in, Sitecore would refuse to let him in displaying an error message consistent with the user not being assigned to any groups in AD that would match with any Sitecore roles. After a few hours of debugging and googling I have decided to run the following SQL script that helped to get some visibility into the issue.
SELECT TOP (1000) [SessionKey]
,[Data]
,[Accessed]
,[ID]
FROM [ClientData]
The script was run in the Master DB. The select statement returned a few records with the one in question among them. Each record that represented the user that ended up being signed in into Sitecore without any issue had the group claims collection populated. However, the user that experiences issues instead if the groups claim collection had two new claims while group claims were totally empty.
The new claims looked like this:
{
...
"_claim_names": {
"groups": "src1"
},
{
"_claim_sources": {
"src1": {
"endpoint":"[Graph Url to get this user's group membership from]"
}
}
...
}
It turns out that the user was a member of a lot of groups in Azure AD and the number of groups exceeded 250 and that resulted in two additional claims and empty group claim collection.
This is a very rare occurrence as far as I know, and we ended up leaving it alone simply because we had only one user who had this issue and he wasn't a person who would be signing in into Sitecore on a regular basis. However, we did confirm that to make the roles work properly we would have to have a custom implementation of AzureAD plugin where we would have to have a call to Graph API for these users to retrieve the full list of groups that the user belongs to.