Azure AD and Group-based authorization

"Hello World!"

In my previous post I talked about how to use Azure AD to secure an Asp.Net Core web API project. If we want to go further than just protect our web API, we can use groups to further customize the access. A typical example is to restrict the access only for users belonging to a specific group.
Each directory user can be part of one or more groups, so we can leverage this membership to allow or deny the access to our API based on the calling user attributes.
This is quite easy to implement, as Asp.Net Core uses the same authorization attribute we are used to:

 [Authorize(Policy = "Admins")]
public IActionResult Get(int id)
{
   return Json(id);
}

As you can see we need to use the Policy property to specify the rules that apply to the decorated member. This obviously requires defining our access policies (the rules) during the startup phase:

 services.AddAuthorization(options => {
   options.AddPolicy("Admins",
           policyBuilder => policyBuilder.RequireClaim("groups",
           "f761047b-2f49-4d8e-903c-1234567890cc"));
});

We simply check the presence of a specific group in the claims set of the calling user. In other words, means the user must belong to this particular group in order to access. Note that we need to use the GUID of the group and not the group name as the access_token we receive from Azure Ad uses a list of GUIDs to describe the user membership.

Because by default the list of groups the user belongs to is not sent by Azure AD, we need to manually edit the manifest:

 "groupMembershipClaims":"SecurityGroup"

Comments

• Anonymous
  February 11, 2018
  How can I do this check in the view instead so a button or section is only displayed if user is member of the correct group?
  • Anonymous
    February 16, 2018
    You can access the User claims in the page and check the value of the "groups" claim. Then a conditional operator (IF) to display or not the html section