All geek questions in one place

How can I get roles from AD using MVC Azure AD Authentication?

I installed the application and the MVC 4 application and added authentication to our Azure AD server, as described here: http://msdn.microsoft.com/en-us/library/windowsazure/dn151790.aspx

Authentication works as expected. However, by default, I do not get any roles. Several AD groups are created, and I would like to use them for the role restricting the application through the [Authorize] attribute in MVC.

I can’t find a good place to even begin to understand this. Can someone give me a outline or point me to a good tutorial?

I must mention that I am not the administrator of our Azure account, so I need to tell the administrator what to do if any configuration is required on this side.

+6
source share
2 answers

Firstly, the tokens returned by Azure AD currently do not contain claims for roles or groups, so you need to get them from the Graph API. Second, the roles in Azure AD that are returned by the Graph API are not necessarily intended for use in an ISV / LoB application, and in general, you should use security groups for authorization instead. To perform authorization, you must use the checkMemberGroups or getMemberGroups operations in the Graph API, which are transitive and valid for this purpose.

If you order the following resources in order, I think your questions will be answered. You will learn how to authenticate on the Graph, call it and configure the application to use the results of group operations to perform authorization:

+9
source

Sean's answer is a bit outdated. Now you can configure Azure AD to include groups or roles within the JWT token, so it will be included in ClaimsPrincipal.Current.Claims , so the standard attribute [Authorize(Roles = "yourRoleName")] will work.

There is a message entry. Which basically says that you have two options:

  • Claims for using groups - you need to change the value of groupMembershipClaims in the application manifest and then in the application that you can check for ClaimsPrincipal.Current.FindFirst("groups").Value to find out which group the user is in (you get only the group identifier ) You can write your own Authorize attribute that uses this. more details

  • Define the roles for your application, and then use regular code for testing if the user is in a role:

    [PrincipalPermission(SecurityAction.Demand, Role = "yourRoleName")]

    [Authorize(Roles = "yourRoleName")]

    if (ClaimsPrincipal.Current.IsInRole("yourRoleName")) { //do something }

    You need to change the roles in your application manifest. More details here and here . The values ​​to be set in the manifest are described here.

What is really strange is that you cannot assign more than one role to a group from the Azure web page. For this you need to use azure graph api .

If you don’t see the Users and Groups tab in the Azure portal, you will probably need Azure AD Basic or Premium edition. If you are working on a free azure subscription, you can use the free trial version of Azure AD Premium for testing.

+6
source

Source: https://habr.com/ru/post/952854/

More articles:


All Articles