Reputation: 2281
Determine if a logged in user is a member of an AD group, in a web app deployed to Azure
I am using Windows Identity Framework for authentication in my web app deployed to Azure. When I run the app locally, I can use PrincipalContext to see if the user is in a group:
PrincipalContext ctx = new PrincipalContext(ContextType.Domain, "DOMAIN");
// find a user
UserPrincipal user = UserPrincipal.FindByIdentity(ctx, username);
// find the group in question
GroupPrincipal group = GroupPrincipal.FindByIdentity(ctx, "GROUP-NAME");
if (user != null)
{
// check if user is member of that group
return user.IsMemberOf(group);
}
This works locally, but does not work in the app deployed to Azure. I'm not sure how to check this information now. I've seen that the LDAP protocol is not supported in Azure, so that's why it's not working, but I'm not sure the correct way to try and accomplish this now. I've read a bit about Group Claims, Application Roles, and the Azure Graph API, but they either seem like overkill, or not the direction I should take. Any help?
Upvotes: 0
Views: 1661
Answers (1)
Reputation: 7394
As you already discovered, that approach does not work in Azure AD - your app is not running in your intranet hence those calls cannot take place. The standard solution to this is to ensure that Azure AD includes groups in the token sent at sign in time, see this sample.
There are various attention points you need to keep in mind - the main one is that using WIF forces you to rely on WSFederation, and that isn't handy in case you have too many groups: Azure AD avoids issuing large tokens by expecting you to call back to the Azure AD Graph API and retrieve the groups after the fact, but that operation requires more modern protocols like OpenID Connect (as shown in the sample I linked to).
The other challenge is that the groups in the token are represented by their SIDs and not by their names, for security reasons - hence you need to know the SIDS you want to validate against (or call the Graph to retrieve their names).
HTH
Upvotes: 2
Related Questions
- Is it possible to assign multiple roles to a user or group in Azure AD?
- Using Azure Managed Identity for app deployed to Azure?
- Azure: Web Apps - List Application Settings from deployed nodejs app
- Azure Active Directory SCIM: Deprovision member of a group not working
- Principalcontext error Server names cannot cotain a space character
- ASP.NET MVC User Authentication through Azure AD ADAL
- Azure Authentication in web API - role claims are missing after validation
- implementing azure group based access in an MVC5 app