Reputation: 456
Using Directory Roles for authorization in ASP.NET MVC application using AAD
I am working on a ASP.NET MVC 5 app which depends on multi-tenant authentication using Azure Active Directory. I have authorization setup globally by adding AuthorizeAttribute filter. Now I want the app to be accessible only by users who belong to particular Directory Roles (Global Administrators and User Administrators to be specific). What is the best way to enforce this?
Roles in the principal only contains app specific roles. I was hoping that one of the identity claims would certify standard directory roles. But only claim that is relevant is the "groups" claim that tells me what Directory Roles AND Application Groups the user belongs to. I then need to query each group object ID to see if one of them is a Directory Role I want to allow.
Also, is there a way to do this globally by adding it as a filter?
Upvotes: 1
Views: 679
Answers (1)
Reputation: 4004
Varun, in the coming weeks we are planning to add a new claim in the token that contains the well-known identifiers of the directory roles that the user belongs to. Stay tuned for that.
Until then the best option is to query the Graph API at login, determine the directory roles the user belongs to, and inject claims of type role in the claims principal. This will enable an authorize attribute filter.
Hope that helps.
Upvotes: 1
Related Questions
- MVC Azure AD Authorization Roles
- Authenticate using Azure AD but Authorize using aspnetmembership roles and claims
- Asp.net core mvc role-based authorization with Azure AD
- Azure AAD Role Based Authentication, User.IsInRole()
- asp.net mvc and azure active directory security group based authorization
- Authorizing users from Azure Active Directory
- Azure active directory with ASP.NET MVC
- Using the MVC Authorize attribute with roles using Azure Active Directory + OWIN
- How can I get roles from AD with MVC Azure AD Authentication?
- Windows Azure Role Based authentication (ACS)