How can I get roles from AD with MVC Azure AD Authentication?

Question

I setup and MVC 4 application and added authentication against our Azure AD server as outlined here: http://msdn.microsoft.com/en-us/library/windowsazure/dn151790.aspx

Authentication works as expected. However, I'm not getting any roles back by default. There should be several AD groups created and I would like to use them to role restrict the application via the [Authorize] attribute in MVC.

I can't really find a good place to even start figuring this out. Can anyone give me an outline or point me to a good tutorial?

I should mention that I'm not the administrator for our Azure account, so I need to be able to tell our admin what to do if any setup is required on that side.

Answer 1

Sean answer is a bit outdated. You can now configure Azure AD so it will include groups or roles inside JWT token so it will be included into ClaimsPrincipal.Current.Claims so standard [Authorize(Roles = "yourRoleName")] attribute will work.

Here is introduction post. Which basically says you have two options:

1. Use groups claim - you need to change groupMembershipClaims value in app manifest and later in application you can check for ClaimsPrincipal.Current.FindFirst("groups").Value to see in what group user is (you only get group id). You can write you own Authorize attribute that use this. more info

2. Define roles for you application and then use normal code for testing if user is in role:

   [PrincipalPermission(SecurityAction.Demand, Role = “yourRoleName”)]

   [Authorize(Roles = “yourRoleName”)]

   if (ClaimsPrincipal.Current.IsInRole(“yourRoleName”)) { //do something }

   You need to edit roles in you app's manifest. More info here and here. Values needed to be set in manifest are described here

What is really strange is that you can't assign more than one role to group from Azure web page. You need to use azure graph api for this.

If you can't see Users and Groups tab in Azure portal you probably need Azure AD Basic or Premium edition. If you are working on free azure subscription you can use free Azure AD Premium trial to test stuff.

Answer 2

First, tokens returned by Azure AD do not currently contain claims for roles or groups, so you need to get them from the Graph API. Second, roles in Azure AD that are returned by the Graph API are not necessarily intended for use in an ISV/LoB app, and in general you should use security groups for authorization instead. To perform authorization, you should use the checkMemberGroups or getMemberGroups operations in the Graph API, which are transitive and valid for this purpose.

If you check out the following resources in order, I think your questions will be answered. You'll learn how to authenticate to the Graph, call it, and configure your application to use the result of the group operations to perform authorization:

• Using the Graph API to Query Windows Azure AD -- This is the second walkthrough to complete now that you've done the web SSO one.
• Authorization with Windows Azure Active Directory
• MVC Sample App for Azure AD Graph
• Blog post describing checkMemberGroups and getMemberGroups
• How do I get role and group membership claims for users signing in via Windows Azure AD? -- This one is out of date in regards to the methodology for authentication and the UI for managing users/groups, but it's still useful. Pay special attention to the section on the custom ClaimsAuthenticationManager, which gives you an idea of how to inject role/group data into the ClaimsPrincipal object early so that it can be used in the [Authorize] attribute or other authorization logic.