3

I am looking help for ASP.NET MVC application. Which authenticate single tenant azure active directory users and can authorize users using active directory security group. i.e. if user is part of that security group then only allow access to website otherwise access denied.

Active directory authentication can be done by visual studio itself using wizard but not sure how to perform authorization through AAD security group.

P.S. I am new to ASP.NET security

Improve this question

1 Answer 1

Reset to default
5

When a user signs into the application, incoming token from Azure AD will contain group claims, once you modify the application's manifest appropriately (see the sample application link below for steps). Your application code can then read these claims and make authorization decisions based on them.

Here is a sample application that does authorization based on group claims -

Authorization in a web app using Azure AD groups & group claims

Group claims

enter image description here

ADDITIONAL INFORMATION TO CONSIDER WHEN IMPLEMENTING AUTHORIZATION LOGIC

  1. You have specifically asked about Groups, but you should also consider using Application Roles, which can help you implement a Role based authorization logic. Look at Microsoft documentation link Application Roles. Here is a link to another similar question where I have provided a little more detailed information on both Application Roles and Groups and links to sample code for both. Azure Active Directory Integration with Custom RBAC

    Once you understand the usage/purpose of application roles and groups, it's completely possible for you to decide that you want to base your authorization logic on a combination of Roles and Groups information for the signed in user instead of just one.

  2. In case when a user is part of many groups (6 or more AFAIK), Azure AD token doesn't send across the "groups" directly as part of token, instead it sends an overage indicator and then you can query the groups in a separate call. Take a look at the token related documentation here - Claims in id_tokens

enter image description here

Improve this answer
Sign up to request clarification or add additional context in comments.

7 Comments

The token will contain group ids if the application indicates it wants them in the manifest. Remember the limit also. Basing security on roles in the app and group-based assignment (if available) is usually the better alternative though.
Thanks @junnas. I've provided that information in my other answers related to this topic, but it does make sense to add it here as well, just to provide a more complete picture and then the application developer can decide.. Thanks for your inputs.
@juunas I've edited my answer to include that info. Plz feel free to suggest anything else that you see would be relevant.
hi @RohitSaigal if there is more groups then it contains graph api link which I have to call externally using authorization token.
Yes @BhavyBhut.. That’s correct.. Plz Look at point 2 in “Additional Information to Consider....” section of my answer for details... that’s what groups overage indicator tells you..
|

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.