SharePoint group claims through Azure Active Directory

Question

We are using Azure Active Directory and Azure Access Control Services (ACS) to authenticate users in a SharePoint 2010 instance. The users and groups in Azure AD are synched from an on-prem AD directory using Azure AD Connect.

We've gotten almost everything working to authenticate users, but what's not clear is how to control SharePoint access using the groups in Azure AD. We figured out the way to enable the group claim to be passed through per these instructions, but the object ID of the group (e.g., 244728b5-8b9e-4e2f-8703-9853366cd431) is passed, which is meaningless in SP.

Is there a way to pass the group name or should we be using the group ID? Is there a better way to manage group access in SP when authenticating against Azure AD?

Thanks for the help.

Answer 1

You should use the group identifier. To see it,

• go to the azure management portal https://manage.windowsazure.com
• choose active directory from the list of services on the left
• click on your active directory from the list
• click on "groups" from the menu at the top
• click on the group you want to see the id for in the list
• click "properties" from the menu at the top
• Copy the ObjectID field from the list of properties

in your code, you can declare a string constant using the objectID

private static string myGroupName = "xxxxxxxx-your-objectID-xxxxxxxxxx";

Then just use "myGroupName" to compare your group to the list of group claims

 var isMember = IsGroupMember(myGroupName);

Here is how to look at the claims:

public static bool IsGroupMember(string groupName)
{
    var principal = ClaimsPrincipal.Current;

    // Look for the groups claim 
    var supportClaim = principal.Claims.FirstOrDefault(
        c => c.Type == "groups" &&
            c.Value.Equals(groupName, StringComparison.CurrentCultureIgnoreCase));
    return null == supportClaim ? false : true;
}