Azure AD Groups, Claims and the Graph API.
As part of my role as a Premier Field Engineer I deliver training workshops on Azure. Recently the customer wanted to know all about the Graph API, the REST interface for interacting with Azure Active Directory from a custom application. The information below is a summary I wrote for them on the subject with content pulled from a number of places. Their main aim was to create groups in Azure AD, add users then use those groups to turn on/off certain features in their application.
They wanted to do this from a web application but I’m also going to include some information on how this is also achieved from a native (desktop) application.
You won’t find anything in here that is secret or hidden, it’s all public information that comes from either the official Azure documentation or other public blogs.
One item worth noting is that by default, Azure AD does NOT send the claims which details the groups an account is a member of - this needs to be turned on manually. There is no way to do this via the “Classic” interface however you download the “Manifest fest” aka the configuration file for Azure AD, update that and then reupload it. The https://www.simple-talk.com/cloud/security-and-compliance/azure-active-directory-part-4-group-claims/ article has details on how to do this.
Articles from others worth reading: https://rickrainey.com/2015/02/21/introducing-the-azure-ad-graph-api/ https://rickrainey.com/2015/03/27/extending-azure-ad-using-the-graph-api/ https://rickrainey.com/ https://www.dushyantgill.com/blog/2014/12/10/roles-based-access-control-in-cloud-applications-using-azure-ad/ https://www.cloudidentity.com/blog/2013/01/22/group-amp-role-claims-use-the-graph-api-to-get-back-isinrole-and-authorize-in-windows-azure-ad-apps/
Series of articles worth reading: https://www.simple-talk.com/cloud/security-and-compliance/azure-active-directory-part-3-developing-native-client-applications/ https://www.simple-talk.com/cloud/security-and-compliance/azure-active-directory-part-4-group-claims/ https://www.simple-talk.com/cloud/security-and-compliance/azure-active-directory-part-5-graph-api/ https://www.simple-talk.com/cloud/security-and-compliance/azure-active-directory-part-6-schema-extensions/