Citrix Cloud and group membership

We use Citrix Cloud with Azure AD at work. And previously I had blogged about how it uses the group names from claims.

Today I learnt I was wrong. What a bummer.

Out of the blue users stopped seeing some of their assigned desktops and apps. Also, this was only affecting a subset of users (something that we realized later, and which turned out to be the clue to the solution). I thought this was due to the Azure AD groups. And when I checked the claims I saw that indeed some of the Citrix groups were not present in the claims – so I went down the rabbit hole of trying to get those groups synced to Azure AD and realizing that didn’t help after all. Eventually our Citrix admin was online and he confirmed Citrix doesn’t depend on Azure AD for the group membership. These groups in question were never syncing to Azure AD, and apparently Citrix Cloud uses the Cloud Connectors to query AD for the groups.

In fact, from what I understand, the Cloud Connectors query the user’s group membership (the memberOf attribute) using the Connector machine’s Computer object identity, and uses that to display apps and desktops. And in our case someone had made a permission change to one of the OUs and so the Computer object couldn’t read the group membership of the accounts within this OU.

Turned out to be a simple issue after all but I am bummed. I don’t know why but I was very steadfast in my belief that the group memberships were got via Azure AD claims, that I still can’t come to terms with it. 😃 It’s like suddenly discovering some fundamental belief of mine was incorrect!

Worse, I was trying to find some info regarding this in the Citrix docs and this document  too talks about group membership via claims:

I even found the enterprise applications used by Citrix Cloud in our tenant including f9c0e999-22e7-409f-bb5e-956986abdf02 which is the default connection between Citrix Cloud and Azure AD.

Anyways, more Googling later I decided to focus on Cloud Connectors and came across this document. Specifically, this paragraph:

And also this KB article.

This was pretty much our issue.

I then realized that when assigning groups to give access to a Delivery Group one can select between Azure AD and on-prem AD groups.

So that’s the confusion! You can use both sort of groups, and this is why Citrix Cloud needs the groups claims. In our case we were using on-prem AD groups but I mistakenly thought even though we were assigning permissions via on-prem AD groups Citrix Cloud was checking the Azure AD claims to evaluate group membership.

Learnt something new today. Also, chalk this as an example of how half knowledge is a dangerous/ stupid/ time wasting thing. ⛩️