Restricting Azure AD users from accessing web api controller

Can I restrict from accessing the application a particular user with a given username even though he/she's in Azure AD?

What you need is to create a policy and check current user against this policy whenever you want.

There're two ways to do that.

1. Use a magic string to configure policy (e.g. [Authorize(policy="require_username=name")]), and then create a custom policy provider to provide the policy dynamically. For more details, see https://learn.microsoft.com/en-us/aspnet/core/security/authorization/iauthorizationpolicyprovider?view=aspnetcore-2.2
2. Create a static policy and use a custom AuthorizeFilter to check whether current user is allowed.

Since this thread is asking "Restricting Azure AD users from accessing web api controller", I prefer to the 2nd way.

Here's an implementation for the 2nd approach. Firstly, let's define a policy of requirename:

services.AddAuthorization(opts =>{
    opts.AddPolicy("requirename", pb => {
        pb.RequireAssertion(ctx =>{
            if(ctx.User==null) return false;
            var requiredName = ctx.Resource as string;    
            return ctx.User.HasClaim("name",requiredName);
        });
    });
});

And to check against this policy, create a custom AuthorizeFilter as below:

public class RequireNameFilterAttribute : Attribute, IAsyncAuthorizationFilter
{
    public string Name{get;set;}

    public RequireNameFilterAttribute(string name) { this.Name = name; }

    public async Task OnAuthorizationAsync(AuthorizationFilterContext context)
    {
        var user= context.HttpContext.User;
        if(user==null){
            context.Result = new ChallengeResult();
            return;
        }
        var authZService = context.HttpContext.RequestServices.GetRequiredService<IAuthorizationService>();
        var result= await authZService.AuthorizeAsync(user, this.Name, "requirename");
        if (!result.Succeeded) {
            context.Result = new ForbidResult();
        }
    }
}

Finally, whenever you want to deny users without required names, simply decorate the action method with a RequireNameFilter(requiredName) attribute:

[RequireNameFilter("amplifier")]
public string Test()
{
    return "it works";
}

[Edit]

AAD can restrict Azure AD users from accessing web api controller on an Application level. But cannot disallow an user to access a Controller API (API level).

Here's how-to about restricting Azure AD users on an Application Level

Login your Azure portal:

1. Choose an Activity Directory (e.g. Default Directory)
2. Click [Enterprise applications]
3. Choose the application you want to restrict (e.g. AspNetCore-Quickstart)

Select [Properties], Change the [User assignment required] to Yes

Select [Users and groups], Add/Relete users for this application as you need :

Be aware Azure AD is actually an Indentity Provider. This approach only works for the entire application. It's impossible to allow some user to access the App but disallow him to access a specific controller without coding/configuring the Application. To do that, we have no choice but to authorize uses within the application.