https://community.databricks.com/t5/get-started-discussions/azure-databricks-enterprise-application-user-impersonation-token/m-p/105110#M9480 <P>I tried it like this, however it still adds group claims in the access token:</P><P>&nbsp;</P><LI-CODE lang="javascript">export const getDatabricksToken = async () =&gt; { const account = msalInstance.getActiveAccount(); const response = await msalInstance.acquireTokenSilent({ scopes: ["2ff814a6-3304-4ab8-85cb-cd0e6f879c1d/user_impersonation"], account: account, claims: JSON.stringify({ "access_token": { "groups": null } }) }) return response.accessToken };</LI-CODE><P>&nbsp;</P> Fri, 10 Jan 2025 05:54:41 GMT ahsan_aj 2025-01-10T05:54:41Z https://community.databricks.com/t5/get-started-discussions/azure-databricks-enterprise-application-user-impersonation-token/m-p/91931#M9475 <P>Hi all,</P><DIV class=""><DIV class="">&nbsp;</DIV></DIV><DIV class=""><DIV class="">I am using the Azure Databricks Microsoft Managed Enterprise Application scope (2ff814a6-3304-4ab8-85cb-cd0e6f879c1d/user_impersonation) to fetch an access token on behalf of a user. The authentication process is successful; however, the access token includes group claims. For users who are part of many Azure AD groups, the token becomes quite large because it lists all the groups in the claims. How can I modify my request for the token to exclude group claims from the access token?</DIV><DIV class="">&nbsp;</DIV><DIV class="">I am using the React MSAL library, and here’s a sample of the code I am working with:</DIV></DIV><P>&nbsp;</P><LI-CODE lang="javascript">export const getDatabricksToken = async () =&gt; { const account = msalInstance.getActiveAccount(); const response = await msalInstance.acquireTokenSilent({ scopes: ["2ff814a6-3304-4ab8-85cb-cd0e6f879c1d/user_impersonation"], account: account, }) return response.accessToken };</LI-CODE><P>&nbsp;</P> Thu, 26 Sep 2024 16:10:20 GMT https://community.databricks.com/t5/get-started-discussions/azure-databricks-enterprise-application-user-impersonation-token/m-p/91931#M9475 ahsan_aj 2024-09-26T16:10:20Z https://community.databricks.com/t5/get-started-discussions/azure-databricks-enterprise-application-user-impersonation-token/m-p/105069#M9476 <P>Hi, did you find an answer for it?</P> Thu, 09 Jan 2025 19:14:10 GMT https://community.databricks.com/t5/get-started-discussions/azure-databricks-enterprise-application-user-impersonation-token/m-p/105069#M9476 skraszki 2025-01-09T19:14:10Z https://community.databricks.com/t5/get-started-discussions/azure-databricks-enterprise-application-user-impersonation-token/m-p/105071#M9477 <P>Hi&nbsp;<a href="https://community.databricks.com/t5/user/viewprofilepage/user-id/95317">@ahsan_aj</a>,</P> <P class="p1">You can modify your token request by adding a claims parameter</P> <P class="p1"><SPAN class="Apple-converted-space">&nbsp; &nbsp; </SPAN>const claimsRequest = {</P> <P class="p1"><SPAN class="Apple-converted-space">&nbsp; &nbsp; &nbsp; &nbsp; </SPAN>"access_token": {</P> <P class="p1"><SPAN class="Apple-converted-space">&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; </SPAN>"groups": null</P> <P class="p1"><SPAN class="Apple-converted-space">&nbsp; &nbsp; &nbsp; &nbsp; </SPAN>}</P> <P class="p1"><A href="https://learn.microsoft.com/en-us/security/zero-trust/develop/configure-tokens-group-claims-app-roles" target="_blank">https://learn.microsoft.com/en-us/security/zero-trust/develop/configure-tokens-group-claims-app-roles</A></P> Thu, 09 Jan 2025 19:55:07 GMT https://community.databricks.com/t5/get-started-discussions/azure-databricks-enterprise-application-user-impersonation-token/m-p/105071#M9477 Alberto_Umana 2025-01-09T19:55:07Z https://community.databricks.com/t5/get-started-discussions/azure-databricks-enterprise-application-user-impersonation-token/m-p/105108#M9478 <P>I got in touch with Microsoft support and they mentioned it is not possible as the Azure Databricks app registration is managed by Databricks and changing the manifest to exclude group claims on that application is not possible and it impacts all users.</P> Fri, 10 Jan 2025 05:39:01 GMT https://community.databricks.com/t5/get-started-discussions/azure-databricks-enterprise-application-user-impersonation-token/m-p/105108#M9478 ahsan_aj 2025-01-10T05:39:01Z https://community.databricks.com/t5/get-started-discussions/azure-databricks-enterprise-application-user-impersonation-token/m-p/105109#M9479 <P>Let me try this and get back to you.</P> Fri, 10 Jan 2025 05:39:15 GMT https://community.databricks.com/t5/get-started-discussions/azure-databricks-enterprise-application-user-impersonation-token/m-p/105109#M9479 ahsan_aj 2025-01-10T05:39:15Z https://community.databricks.com/t5/get-started-discussions/azure-databricks-enterprise-application-user-impersonation-token/m-p/105110#M9480 <P>I tried it like this, however it still adds group claims in the access token:</P><P>&nbsp;</P><LI-CODE lang="javascript">export const getDatabricksToken = async () =&gt; { const account = msalInstance.getActiveAccount(); const response = await msalInstance.acquireTokenSilent({ scopes: ["2ff814a6-3304-4ab8-85cb-cd0e6f879c1d/user_impersonation"], account: account, claims: JSON.stringify({ "access_token": { "groups": null } }) }) return response.accessToken };</LI-CODE><P>&nbsp;</P> Fri, 10 Jan 2025 05:54:41 GMT https://community.databricks.com/t5/get-started-discussions/azure-databricks-enterprise-application-user-impersonation-token/m-p/105110#M9480 ahsan_aj 2025-01-10T05:54:41Z